Help with a query for user groups (Full Version)

All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager



Message

turbokitty -> Help with a query for user groups (6/25/2008 3:13:52 PM)

I'm having trouble getting my brain around user vs computer policy in SCCM.

I can write a query that collects computer accounts in a security group and only advertises to those members.

I'm curious how you could use user accounts in a security group to limit a collection.  How does SCCM handle groups with user accounts?  Can you leverage these groups in a useful way?

Thanks.



turbokitty -> RE: Help with a query for user groups (6/25/2008 5:53:00 PM)

This is a vague question I know.  Is there something online that I can refer to?  I'm not finding anything useful in the CHM.

I'd like to have a deeper understanding of assigning applications to users vs assigning to computers and what queries are required to accomplish this.



turbokitty -> RE: Help with a query for user groups (6/25/2008 6:31:07 PM)

Just to continue this conversation with myself:

For instance, let's say I were to deploy adobe reader to a security group called "adobe_reader".  In that group are 50 user accounts.

Now you configure the application to install when the user is logged off.

Will this even work?  Does it use the last PC that the user logged into?

What if the application is set to install with the user logged on.. if the user is logged on to 5 PC's, do they all get the application? 

I'm assuming nothing happens to the application if the user is pulled from the group or their profile is pulled from the machine.

I'm sure this is documented somewhere but I'll be damned if I can find it.



skissinger -> RE: Help with a query for user groups (6/25/2008 10:14:18 PM)

Ok, I'll join into your conversation!

First, let me start by saying "don't do it!".  Why, you ask?  Ok, if your collection membership contains User IDs, or it contains the Usergroup, and not resourceIDs of machines, two things will be um... fun... to work around.  First, software is deserved by the user, or the user if they happen to be a member of that usergroup when they logged in.  The machine does not deserve the advertisement, because it is not in the collection.  So you cannot deploy "when no user logged in"  Second, all of those cool tools you may be using to re-run a advertisement simply do not work.  The history of a previously run ad is kept in a different place in WMI if the 'user' deserved the advertisement.  And that place is defined by the SID of the user, so it's um... fun... to find if you want to re-run a user or usergroup-targetted advert.  Third, yes... everywhere that user logs in, the software will install.  With all that said, sure; it's possible to advertise to a collection where the collection contains a usergroup (and the usergroup has usernames), or the collection contains user ids.  We've been doing it for years.  I believe the company I work for, and 1 other person (Stuart W!  how are you?!) advertise to users in a usergroup.

But... guess what project I'm in right now.  I'm ripping all that out, and replacing it.  The collection contains "Machines where the highest ranked user is in the usergroup "whatever"".  It's kind of complex, I know; but I figure it's a step in the right direction.  I want to get them to "Machines in usergroup "whatever"".  I'm not at work as I type this out, so I don't have my template queries in front of me or I'd post them.

I'm using SLAT from systemcentertools.com to get highest ranked user (because I needed a feature it had that Top Console User didn't).  But w/ConfigMgr you could use "Machines where the top console user is in the usergroup "whatever"".  There's some pre-req's you need; like that Top Console User is returning data (you might need a GPO enabled), and user & usergroup discovery running frequently enough, and your collection updates frequently enough--but you can get there.

If you can, though, my next evolution of this master plan is to modify the culture enough that they buy into the fact that "computers have software installed.  Users do not have software installed."  If you can get *that* buy-in, for each of those usergroups that contains a username, change it to their computer name.  Again, setup Discovery (I recommend ESD from systemcentertools.com, if you have a budget) so computers' groups get discovered quickly, and collection updates; and it'll be easy, and close to automated.  It fits all my personal parameters.  It is standard.  simple.  automated. 



turbokitty -> RE: Help with a query for user groups (6/26/2008 1:01:16 PM)

Thanks for the reply.

I agree with everything you're saying.  I have a deep background in software distribution but I'm new to SCCM.  I also think that applying policy to users is always a bad idea unless you're using a product like Softgrid.

It's shocking to me that SCCM can't leverage security groups to deploy software.  My original approach was to use groups and computer accounts to manage this, but I've read in many places that there's no elegant way to make this happen without a considerable delay.

It looks like we have to make collections based on an OU or some WMI property and then just wait.  For one-offs where a user is calling in needing an advertisement right away, I think we'll have to use the 3rd party "SMS Client Center".

?



skissinger -> RE: Help with a query for user groups (6/26/2008 2:54:18 PM)

What do you interpret as a "considerable delay"? 

And what were you thinking of w/ SMS Client Center (Roger Zanders' tool, correct)?  If you mean using a local policy to trigger a SW install, that can be tricky to maintain.  I've never tried it, so I might be completely wrong, but when I looked into it there were too many variables to maintain for me.



turbokitty -> RE: Help with a query for user groups (6/26/2008 3:09:57 PM)

This is where we'd like to be:
Software controlled through AD security groups.  If a user requests an app, just add their computer account to the appropriate group.  Then the software should begin installing while the user is still on the phone with the helpdesk.

That's the ideal.  Many products can do that, so I assumed SCCM could too.  From what I've read, this approach would require a very short interval on the discovery process, a collection refresh and a policy refresh on the machine.  There doesn't seem to be a simple way of doing this without scripts and hammering the domain controller everytime you want to deploy an app.

The security groups won't seem to work, so I'm thinking of giving the Helpdesk access to add direct membership to collections (only).  Then using the tool I mentioned earlier (yes, Zander's), it seems they can handle the policy refresh on the target machine.

Do you see an issue with that approach or have any ideas?  Thanks.



skissinger -> RE: Help with a query for user groups (6/26/2008 3:51:46 PM)

Sure, that would work.  You don't mention if your Helpdesk will have the console, but I'd skip the SMS Admin Console for the helpdesk and use Ron Crumbakers Web Console 3.21 (for now; hopefully v4 is really going to be coming out soon--but it's been in the works for well over a year).  Using Ron's console, you could add direct machine memberships, and also do remote machine policy refreshes.  Although I don't have the advertisement piece of the console implemented in production, I have 70+ techs using Ron's console here.  Everyone loves it.

If I were you... hmm... I'd maybe do both, add the machine via the direct membership, and add it to the AD Group.  Then occasionally go and clear out the direct memberships from the collections.  That way you get the quick install you are looking for, and the group membership long-term simplicity as well.



Page: [1]

Valid CSS!




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI
0.1875