Installing Applications Using Active Directory Group Membership

re: Installing Applications Using Active Directory Group Membership

Jake Swason — Wed, 24 Jun 2009 19:09:55 GMT

Daniel - this is exciting and could be a great replacement for role-based deployment scenarios.

I have a question about "all computer accounts pre-created in the domain and added to the relevant application groups." Can you elaborate on this?

I want to create an "Engineering" Task Sequence that will install 3 applications based on AD Group. These 3 Engineer apps are setup so that we can add members to those groups and deploy via ConfgMgr. Can you explain what I need to do to accomplish this?

Thanks!

Jake

re: Installing Applications Using Active Directory Group Membership

Daniel Oxley — Thu, 25 Jun 2009 09:25:05 GMT

Jake,

Nice to hear that you find it useful! Let me elaborate on your question.

In order for the script to work, the groups must already exist in Active Directory. This means that, being being able to deploy a computer, the computer account must have been pre-created (often called pre-staging) in Active Directory. Additionally, the groups need pre-creating for each application, and then the correct pre-created computer accounts added to these groups.

Once done, the script will read the computers hostname, then run an LDAP query to confirm if a computer account with the same name as the hostname belongs to the specified group.

Is that clearer?

HTH,

Daniel

p.s. If you are using ConfigMgr, then you could also deploy applications to groups of computers without the need for my script. I wrote the script with LiteTouch installations in mind.

re: Installing Applications Using Active Directory Group Membership

Jake Swanson — Thu, 25 Jun 2009 16:19:18 GMT

Hi Daniel,

Awesome stuff! So, if I am hearing what I think I am hearing, you're saying that with this solution, before we do a deployment..1) the AD group containing the application needs to exist and 2)The PC name needs to be collected and added as a member to the appropriate AD group?

For example, I have an SMSpkg Group containing my engineering app and I would add the PC name for that machine to this AD group? Is this correct?

Thanks for sharing this stuff...it is great!

Jake

re: Installing Applications Using Active Directory Group Membership

Daniel Oxley — Fri, 26 Jun 2009 09:31:56 GMT

Jake,

I am wondering if you are not quite following me. This solution doesn't use any ConfigMgr groups, nor does it require it. I wrote it for LTI installs, but it would work with ZTI as well. Here is the process:

1.) Create a group in Active Directory

2.) Create a computer account object in Active Directory

3.) Add computer object to group created

4.) Add this solution to MDT and specify the DN for the AD group in the task sequence.

5.) Run deployment.

6.) The app will install if the script finds that the computer account (the one for the computer running the install) belongs to the specified group.

HTH,

Daniel

re: Installing Applications Using Active Directory Group Membership

Dustin Martin — Mon, 13 Jul 2009 19:11:39 GMT

Is it possible to use this solution with the PutEX or Put Methods of the ADSI objects?

I've written a few scripts to test it, and continue to recieve the same "General access denied" errors i recieved when i use a normal ADSI LDAP connection instead of the OpenDSObject method with supplied credentials.

I'm trying to add some build scripts into my process to add PC's to security groups based on make/model and location in some situations (WSUS Policy groups, Wireless policy groups, things like that). I'm assuming a run-as is still going to be required due to the access denied error i'm still recieving, however there are issues with the RUNAS feature in MDT i've found as well. (maybe not newer versions, but my current revision of MDT2008 is somewhat picky it seems)

I've included a quick example: , both Put and PutEx fail with the same error.

Set objSysInfo = CreateObject("ADSystemInfo")

sComputerName = objSysInfo.ComputerName

Set dso = GetObject("LDAP:")

Set objGroup = dso.OpenDSObject("LDAP://mydcname/cn=WSUSGroup,dc=subdomain,dc=domain,dc=com", "dom\user", "password", ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND + ADS_FAST_BIND )

objGroup.Put "member", Array(sComputerName)

objGroup.SetInfo

objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(sComputerName)

objGroup.SetInfo

Thanks,

-Dustin

re: Installing Applications Using Active Directory Group Membership

j_seet — Thu, 05 Nov 2009 06:46:40 GMT

Hi All,

I'm attempting to execute a script with MDT by utilising the existing credentials in cs.ini.

I've got a VB script that will add the AD Group to the computer's (that it's running from) membership and upon next reboot it will install the application. At the moment this will only work when it's logged in with an domain admin account. MDT2010 logs in with the local administrator account when it is deploying. Is there a way to utilize the existing MDT2010 credentials in cs.ini as that already has the credentials inside, and I don't want to be changing credentials in more than one place.

The piece of code i've got so far is:

Set objNetwork = CreateObject("Wscript.Network")

strcomputername = ucase((objnetwork.computername))

' Adds computer to "INSTALL - Java" group

'==========================================================

Const ADS_PROPERTY_APPEND = 3

Set objGroup = GetObject _

("LDAP://cn=INSTALL - Java,ou=Groups,dc=domain,dc=com,dc=au")

objGroup.PutEx ADS_PROPERTY_APPEND, _

"member", Array("cn="&strcomputername&",ou=Computers,ou=_Perth,dc=domain,dc=com,dc=au")

objGroup.SetInfo

Thanks in advance!!

Regards,

Jon

re: Installing Applications Using Active Directory Group Membership

j_seet — Thu, 05 Nov 2009 06:47:17 GMT

Hi All,

I'm attempting to execute a script with MDT by utilising the existing credentials in cs.ini.

The piece of code i've got so far is:

Set objNetwork = CreateObject("Wscript.Network")

strcomputername = ucase((objnetwork.computername))

' Adds computer to "INSTALL - Java" group

'==========================================================

Const ADS_PROPERTY_APPEND = 3

Set objGroup = GetObject _

("LDAP://cn=INSTALL - Java,ou=Groups,dc=domain,dc=com,dc=au")

objGroup.PutEx ADS_PROPERTY_APPEND, _

"member", Array("cn="&strcomputername&",ou=Computers,ou=_Perth,dc=domain,dc=com,dc=au")

objGroup.SetInfo

Thanks in advance!!

Regards,

Jon

re: Installing Applications Using Active Directory Group Membership

Daniel Oxley — Thu, 05 Nov 2009 08:23:09 GMT

j_seet,

Look at the post previous to this one, written by Michael Murgolo. IIRC, he wrote a script that does the same as this one, but retrieves the credentials from the CustomSettings file

re: Installing Applications Using Active Directory Group Membership

j_seet — Fri, 06 Nov 2009 04:31:27 GMT

Hi Daniel,

Thanks for the reply!

I'm just wondering how I could implement Michael's solution into what I'm attempting to do:

Basically, the user chooses which applications to install, and during the install applications task, it simply runs the script that adds the GP group to the computer's account. So it's run from stand-alone MDT. Where/how can I add the call to pull the credentials from the cs file?

I admit that my vbs skills are very amatuer at best

re: Installing Applications Using Active Directory Group Membership

Daniel Oxley — Fri, 06 Nov 2009 09:13:31 GMT

@j_seet

I think Iam missing something... Why not just have the applications in MDT. Then, when the user chooses the apps to install at the start of the MDT process, they will all get installed - this way you won't need to use Active Directory groups to install the applications.

What you want to do seems rather convoluted... I really wouldn't try to do it your way unless you have a very specific reason for it.

Daniel

re: Installing Applications Using Active Directory Group Membership

j_seet — Sat, 07 Nov 2009 04:16:28 GMT

Hi Daniel,

I've opted for this because we want the the software to uninstall if the AD group is taken out of the computer account or falls out of scope (removed from domain etc).

I've trialled your suggestion before but it doesn't allow the flexibility of GP scopes. hope that makes sense

re: Installing Applications Using Active Directory Group Membership

Daniel Oxley — Tue, 10 Nov 2009 10:17:24 GMT

@j_seet

No, my solution will not force the application to uninstall when taking the computer out of a group. In order to achieve that you would need to use something like SCCM in order to handle the application inventory on each machine.

Daniel

re: Installing Applications Using Active Directory Group Membership

j_seet — Wed, 11 Nov 2009 00:45:27 GMT

Hi Daniel,

This is why i'm wanting to install software via a group policy security groups. We don't have SCCM/SMS. I was just hoping that you could help me find a way to get the "install applications" task to add a security group to a computer account.

If not, thanks anyways!

re: Installing Applications Using Active Directory Group Membership

j_seet — Thu, 12 Nov 2009 05:44:53 GMT

Hi Daniel,

Nevermind. I've figured out exactly what I wanted utilizing Ben Hunter's templates. Dude's a genius