How can I Deploy Applications based on AD security group membership for Computers using a Task Sequence

[anyweb]

The following guide is based upon a post by Daniel Oxley on The Deployment Guys blog where he showed a MDT Task Sequence which could install applications based on Active Directory queries, I have modified the script provided and created a brand new Task Sequence for System Center Configuration Manager 2007. All you have to do is to import the Task Sequence into ConfigMgr and start dynamically installing applications.

 

Note: This post is reproduced as a Webcast here.

 

Ok first of all understand what this does and what you need done in the back-end.

 

What does this do ?

 

The task sequence will set some variables, make a call to Active Directory using a user you define within the task sequence, then based upon the results returned will set another variables value to True or False based on whether a COMPUTER is a member of an Active Directory Security Group. It can loop through this many times to install several applications 'on the fly' during an OSD task sequence, the advantage of this is that the Task Sequence becomes dynamic based upon where the COMPUTER is present in AD.

 

 

In the above Screenshot, the computer XP2 (amongst others) is a member of the FireFox Users Active Directory Security Group. Therefore if we run the Task Sequence (and thus the script) on that computer it will return a value of True for membership of the FireFox Users Active Directory Security Group and therefore the FireFox application will be installed during the Task Sequence dynamically.

 

 

 

 

What does it need ?

 

 

• You must have created some Active Directory Security Groups in AD for the applications you are intending to dynamically install and you should add the computer account to these groups, if the computer is not a member of the Active Directory Security Group then the software will not be installed via the task sequence.
  
• You must have some applications pre-created in SCCM which can install as part of a normal task sequence.
  
• You will need an Active Directory user which we will use to connect to AD to get the info. (I have created a standard user called QueryAd, for security reasons you should only grant this user the appropriate access in Active Directory).
  
• You will need full access to AD to add computers to the selected Active Directory Security Group(s) and to verify the Distinguished Names needed for the Task Sequence Steps.
  
• You will need MDT 2010 integrated with SCCM and you will need to add the custom script CUSTOM_AppInstall.wsf to the scripts folder contained within the MDT2010Files package.
   
  
   
  Once you have added the file you must update the Distribution Points for that package.
  

 

 

 

 

 

 

 

Editing the Task Sequence

 

Ok now that you have what is needed, let's put it into action.

 

Import the following task sequence into SCCM.

 

install APPS for COMPUTER via LDAP - multiapp.xml

 

 

Ok let's go through the Task Sequence Step by Step. If you import the Task Sequence above you'll have all this work done for you and you'll just need to edit your application names/distinguished names/package/program location etc, but below is an explanation of how it all works and what it means.

 

 

 

Set DomUser

Here we set the username for the Active Directory User that we will use to connect to AD to verify if the Computer Account is a member of that Active Directory Security Group.

 

Set DomPassword

Password for the above user. As it's in clear text within the Task Sequence, you will want to set the users permissions accordingly in Active Directory.

 

Set FQDNDC

Set the Fully Qualified Distinguished Name for the Domain Controller, eg: ad1.server2008.lab.local

 

Set NetbiosDC

Set the Netbios name of your DC, eg: ad1

 

Use Toolkit Package

This step is copied from a standard Microsoft Deployment Toolkit Task sequence within SCCM, and as such merely points to the MDTFiles package.

 

FireFox

This is just a group name of the application we want installed.

 

Set ADGROUP

Here we set the Fully Qualified Distinguised Name of the Active Directory Security Group that we want to check in AD. eg: CN=Firefox Users,OU=Applications Group,OU=Inf,DC=server2008,DC=lab,DC=local. To find out how to obtain the Distinguished Name, please read this.

 

query LDAP

Here we actually call the CUSTOM_AppInstall.wsf script from within the previously downloaded MDTFiles package. It will return two possible values, false or true based on whether or not it can find the computer account in the Active Directory Security Group specified in the ADGROUP step above.

 

Install FireFox

This is a standard package installer step (Install a single application) which will point to your chosen application package and the program contained within. If no Program appears in the drop down menu then verify that the Program options below are set:

 

On the Environment tab of the program,

 

* Program can run: whether or not a user is logged on

* Run Mode: Allow users to interact with the program must be UNCHECKED (not selected).

 

On the Advanced tab of the program,

 

* select Allow this program to be installed from the Install Software task sequence without being advertised

 

Note: Click on the options tab and set it as follows, click on the Add condition drop down menu, select Task Sequence Variable, for Variable name enter InstallAPP for Value set True

 

 

 

Download the following:-

 

Here is the CUSTOM_AppInstall.wsf file zipped, Unzip and follow the instructions above to use..

 

CUSTOM_AppInstall.zip

[thrqureshi]

Why do we need "install APPS for COMPUTER via LDAP - multiapp.xml"

 

Is there any script which save the group membership into csv file and than we will use csv files to install applications/group