myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


Deploying Applications to Users (Using AD Groups)

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> Deploying Applications to Users (Using AD Groups) Page: [1]
Login
Message << Older Topic   Newer Topic >>
Deploying Applications to Users (Using AD Groups) - 7/8/2008 11:17:50 AM   
jharter

 

Posts: 251
Score: 2
Joined: 3/30/2005
Status: offline 		Basically we set up our advertisements as such:

Advertisement (no mandatory schedules) ---> Package ---> Collection (Contains an AD Group)
 
Now when users want a specific application, we have our help desk add their user account to the appropriate AD group. This works beautifully except for one thing: I notice that it takes upwards of 3 days or so for the application to appear in their "Run Advertised Programs" list. I thought it would be easy to fix as I figured I would just have to adjust the AD User Discovery to run more frequently (i.e. every hour or so). So I did that and then I run the client's User policy retrieval thinking that it should show up. However, it doesn't.
 
Does anyone know what I need to do to have the advertisements show up in their list more quickly?

_____________________________

Justin Harter | justinharter@hotmail.com
WEBSITE: http://www.momresources.org
BLOG: http://spaces.msn.com/jharter
Post #: 1
RE: Deploying Applications to Users (Using AD Groups) - 7/8/2008 11:23:25 AM   
mp115


Posts: 284
Score: 7
Joined: 3/23/2005
Status: offline 		Running every hour seems like overkill, or it is in my environment at least.  If I did that, I'd have huge overrun issues and the user discovery process wouldn't have time to finish before it came time to launch it again when the hour timer rolled back around.  What does your other discovery timers look like?

(in reply to jharter)
Post #: 2
RE: Deploying Applications to Users (Using AD Groups) - 7/8/2008 11:36:16 AM   
jharter

 

Posts: 251
Score: 2
Joined: 3/30/2005
Status: offline 		Every hour wasn't hurting too bad for us. It only took 10 minutes to run and I thought it would give us the flexibility of adding a user to an AD group and then it would show up in their list within an hour (instead of the 1 day default). Most of the discoveries are default and are set to a day, but like I said, I'm not sure which discoveries (or other background tasks) are required to complete the process. Currently having this discovery run does not speed the process up at all.

_____________________________

Justin Harter | justinharter@hotmail.com
WEBSITE: http://www.momresources.org
BLOG: http://spaces.msn.com/jharter

(in reply to mp115)
Post #: 3
RE: Deploying Applications to Users (Using AD Groups) - 7/8/2008 1:06:42 PM   
skissinger


Posts: 2114
Score: 134
Joined: 9/13/2001
From: Sherry Kissinger
Status: offline 		Because your collection contains an ADgroup, not "resourceids of machines where <some condition>", no matter how often you run discovery, it's irrelevant.  The trigger is the end user has to log off/log back on.  The tokenID (I think that's the right term) indicating what usergroups that user belongs to cannot be added to logged-in credentials in any other way.  After the login, the usergroups attached to the login have changed, and *now* when the client goes and checked the MP for policies, it'll see what's deserved to that user because of the new usergroup.

Try it; add a user to a group, and monitor policyagent & policyevaluator; after a logoff/on, you'll see something in one of those logs about "Usergroup membership changed" (or something like that), and it'll trigger a full evaluation for user- or usergroup-deserved policies.

That logoff/on requirement is one of the reasons I'm moving every collection from being "Domain\Usergroup", to being something like this (note I use SLAT from SystemCenterTools.com, not ConsoleUser).  These collection queries results in the members of the collection being machine resourceIDs--so there's no longer the logoff/on requirement.  It's a compromise, I know.  But see?! I've also got the query for "machines which are a member of the usergroup xxyy".  I'm trying to change the culture here to "machines have software installed.  Users do not."  I think I'm making some progress.

quote:

select SMS_R_SYSTEM.ResourceID from SMS_R_System inner join SMS_G_System_MCS_USERLOGONINFO_1_0 on SMS_G_System_MCS_USERLOGONINFO_1_0.ResourceID = SMS_R_System.ResourceId where SMS_G_System_MCS_USERLOGONINFO_1_0.UserName in (select UserName from  SMS_R_User where UserGroupName = "DOMAIN\\ReallyImportantApp_2008") and SMS_G_System_MCS_USERLOGONINFO_1_0.UserRank = 1

and

select SMS_R_SYSTEM.ResourceID from SMS_R_System where SystemGroupName = "DOMAIN\\ReallyImportantApp_2008"


_____________________________

mofmaster@smsexpert.com (version 2007) | http://www.smsexpert.com | http://www.sccmexpert.com
My Blog
Microsoft MVP - ConfigMgr

(in reply to jharter)
Post #: 4
Page:   [1]
All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> Deploying Applications to Users (Using AD Groups) Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.359