brpo
Posts: 35
Score: 1
Joined: 8/11/2006
Status: offline
|
Hi I have seen quite a few times post here and on other forums about this seemingly simple question: 'Should i deploy my packages to the users or to the machines ?' It is usually 'easier' for helpdesk and yourself to target users, as they are the persons that will use the software, they are in the address book and you meet them at the coffee machine. The problem arises when you assign software to "roaming users". As long as they keep working on only one machine, all is well, you target the user and the software deploys to this user, which means to his/her machine. Once they start using other machines, the software that you assigned to them will start installing on those machines, and the user won't be able to stop it from doing so. Another problem is that a user which has a license for a product might use his account to log on to a colleague's computer so that he can also 'benefit' from the software. So what about deploying to Machines ? Well, as stated earlier, it is not that easy to remember which machine is linked to which user (unless the machine name is the same as the user name). If your boss requests a report to see 'who is using Visio', a list of computers will probably not be what he's looking after. So let's be creative ! What about putting a user in a group and still target his computer ? Here is how to proceed 1. In Active Directory, populate the managedBy field of your computers so you can link the user to this computer. (this can be done manually or via script) 2. Sccm 2007 allows you to add specific active directory attributes to your system or user discovery (a). At the Active directory System discovery level I add the attribute managedBy (so that the user that 'Manages' the computer will appear. This property is the full DN of the user (dn=user,ou=myou,dc=mydomain,dc=com) 3. In order to map the DN that we get from the managedby property, we need to add the attribute distinguishedName at the Active Directory User discovery level. (Note that the attributes are Case Sensitive !) 4. make sure discovery runs for both systems and users. 5. Create an Active Directory global group that will host the users for which you want to target the software. (let's call it sms_application for test purposes) 6. Create a collection based on this (note that you won't be able to use the query editor for this type of query)
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System INNER JOIN SMS_R_User ON SMS_R_User.distinguishedName = SMS_R_System.managedBy where SMS_R_User.UserGroupName like "MYDOMAIN\\sms_application" (you will need to update the MYDOMAIN with your domain name)
7. Add users to the Sms_application group. The linked computer(s) should now appear in your collection and will receive the assigned packages. Note that if the user has more than one computer, they will all be member of the collection.
I know that the 'big' part of the process is to update the ManagedBy field in AD. In my environment, I had the Description field being used by helpdesk to track the computer to user association. I used a Powershell script to update this.
If someone wants i can publish it here as an example
As always, Test, test, test ! This is simply a "proof of concept", and i don't use it in production for the moment, but i hope it will be usefull for you or give you other ideas of what you can do with sms/sccm
brgds
(a) for those using Sms, there are solutions for 'Extended discovery' that can be used to achieve the same results.
[note: I posted this info also on Ms SCCM forum]
|
Printable Version
Deploy Software to Machine, but based on User groups - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread