locked
Collection Query trouble for AD installation groups RRS feed

  • Question

  • Dear SCCM Gurus:


    I'm new to SCCM and have successfuly installed it in a test environment.


    I am trying to deploy software (and undpeloy) to a test client via an AD Security group.

    The example software is 64 bit, so I'm using AddRemove64

    For that, I have created three collections:

    Software - Installed = Lists all computers which have the software installed


    Software - Missing = Lists all the computers which are an AD group member and don't have the software in AddRemove(64)





    However, once a computer has successfully installed the software, it shows up in all 3 groups!!!

    How is that possible?

    I'm sure it's an easy mistake somewhere.


    I've scoured the internet and found (among other things)  this:  http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/45c5c1cc-6245-4876-9ea2-89f44ab3b308/


    But it didn't help.

    I've read something abotu NOT queries because they're array or something, but shouldn't these queries work? I used the design mode to put them together.


    Any help would be appreciated.

    Tuesday, May 29, 2012 11:50 AM

Answers

  • You have to use the subselect / not in statement if you want to exclude certain machines: http://myitforum.com/cs2/blogs/jgilbert/archive/2008/07/22/subselect-queries-the-easy-way.aspx.

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, May 29, 2012 12:10 PM
  • How about this...  Instead of trying to solve this specific problem that you've got right now...have you considered that perhaps the goal you're after can be accomplished in different ways?

    Do you really have, or intend to make specific AD security groups for all the apps that you want to deploy?  Is this going to scale for you as you roll it out across your organization? Are you neglecting to take advantage of some of the built in features of SCCM?

    If it were me I'd look at the Detection Methods that are built into the App Model and that's 50% of your trouble right there. Let the App model figure out for you which clients need a program rather then building it into your queries.  Also, why not use SCCM collections entirely instead of AD groups.  Unless you've already got them all made, I think it would just be easier to make SCCM collections (even static ones that have Direct Membership rules) and add machines to those which you want to be the target of an Install.  Unless all your techs have access to add members to these AD groups...I don't see how you're going to successfully roll this out.  With SCCM Role Based Administration you can easily assign your techs the rights to add members to SCCM collections and that will get your machines added to the software groups then need to be in.

    Bottom line...maybe back up and re-think this strategy your trying to put in place here.  It was fine for CM07 but in CM12 there are perhaps better ways to do it.


    Mike...

    Tuesday, May 29, 2012 11:34 PM
  • Thank you everyone for your answers.

    I've figured out now how to properly use the subquery to do what I wanted.Thank you for your elaborate answer, Mike.

    The reason for the linking to AD groups is that we have this building block concept where we build computer objects based on their group membership for things like software, printers, etc, and user objects for permissions, shortcuts, extra policies, etc.

    That way we can "build" computers and users (or groups) to our liking from one central place, with everything else being peripheral.

    Wednesday, May 30, 2012 8:58 AM

All replies

  • Group 3: (I can only upload 2 images per post)

    Software - Uninstall = Lists all computers that have the software installed and are NOT an AD group member

    Also: This collection is scoped as a subcollection of the Software - Installed collection

    Tuesday, May 29, 2012 11:51 AM
  • You have to use the subselect / not in statement if you want to exclude certain machines: http://myitforum.com/cs2/blogs/jgilbert/archive/2008/07/22/subselect-queries-the-easy-way.aspx.

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, May 29, 2012 12:10 PM
  • Thanks for your reply, Tortsen!

    Which one of the queries are you talking about? The ones with the AddRemove table in it?

    Or also the ones with the ad group name?

    Tuesday, May 29, 2012 12:22 PM
  • Torsten,

    what you suggested may have helped on the Software - Missing collection. I'll figure this out on my next test run.

    However, before I test again, I would also like to straighten out the Uninstall group.

    This is what I have now after your last post:


    However, this still doesn't seem to work.

    I assume I have to do the same subquery / not in part for Domain groups to subfilter non-members?

    That's what I tried up there, but so far it isn't working.

    Any idea?

    Tuesday, May 29, 2012 12:42 PM
  • It would be better to paste the WQL query itself instead of screenshots. There's no need for SMS_G_SYSTEM_ADD_REMOVE_PROGRAMS stuff in the query.


    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, May 29, 2012 12:55 PM
  • Ok, I changed the subquery to this:

    Criterion: Subselected Values

    Where: System - Resource ID

    Operator: is not in

    Subselect:

    SELECT SMS_R_System.ResourceID from SMS_R_System WHERE SMS_R_System.SystemGroupName="EKH\\InstTortoise"

    However, it still says the member is in there (and no SQL syntax error).

    Tuesday, May 29, 2012 1:09 PM
  • Out of curiosity - how is your AD Group Discovery configured?


    Jamie Courtes MCTS - SCCM 2007 MCTS - SCCM 2012

    Tuesday, May 29, 2012 10:11 PM
  • How about this...  Instead of trying to solve this specific problem that you've got right now...have you considered that perhaps the goal you're after can be accomplished in different ways?

    Do you really have, or intend to make specific AD security groups for all the apps that you want to deploy?  Is this going to scale for you as you roll it out across your organization? Are you neglecting to take advantage of some of the built in features of SCCM?

    If it were me I'd look at the Detection Methods that are built into the App Model and that's 50% of your trouble right there. Let the App model figure out for you which clients need a program rather then building it into your queries.  Also, why not use SCCM collections entirely instead of AD groups.  Unless you've already got them all made, I think it would just be easier to make SCCM collections (even static ones that have Direct Membership rules) and add machines to those which you want to be the target of an Install.  Unless all your techs have access to add members to these AD groups...I don't see how you're going to successfully roll this out.  With SCCM Role Based Administration you can easily assign your techs the rights to add members to SCCM collections and that will get your machines added to the software groups then need to be in.

    Bottom line...maybe back up and re-think this strategy your trying to put in place here.  It was fine for CM07 but in CM12 there are perhaps better ways to do it.


    Mike...

    Tuesday, May 29, 2012 11:34 PM
  • Thank you everyone for your answers.

    I've figured out now how to properly use the subquery to do what I wanted.Thank you for your elaborate answer, Mike.

    The reason for the linking to AD groups is that we have this building block concept where we build computer objects based on their group membership for things like software, printers, etc, and user objects for permissions, shortcuts, extra policies, etc.

    That way we can "build" computers and users (or groups) to our liking from one central place, with everything else being peripheral.

    Wednesday, May 30, 2012 8:58 AM
  • If it were me I'd look at the Detection Methods that are built into the App Model and that's 50% of your trouble right there.

    A little correction: it's not "detection methods", but requirement rules ;-)

    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, May 30, 2012 9:24 AM
  • My point with the Detection Methods is that you don't necessarily need to build a collection that tests for "software installed" because SCCM can figure that out for you...  But I guess it depends on what you are going to do with that information.  If you just want to skip installing stuff for machines that already have it installed, or if you want to Uninstall something I still feel a Detection Method is the way to go.

    However, if you're doing something else then a Requirement Rule might be needed.  It's all about the goal I guess.


    Mike...

    Wednesday, May 30, 2012 1:10 PM