locked
Deploying package to AD security group RRS feed

  • Question

  • I would like to deploy packages to computers based on AD security group membership. I have therefore created a collection based on a query which selects the required AD security group and have created an advertisement which targets this collection. My understanding (wrong I think now) is that this advertisement will be sent to all members of the security group, i.e. all the computers that have been added to this group.

     

    This does not appear to work. The advertisemnet does not get sent to the computers which are members of the security group. What am I doing wrong?

    Wednesday, April 2, 2008 2:27 PM

Answers

  • If you are using Active Directory Security Group discovery, then it will not work. That method is only supported for deploying to user groups, not computer groups.

     

    You need to use Active Directory System Group Discovery to discover the system groups the client is a member of. You can then create collections out of those. The collection members *will* be displayed with this method, so you have to do discovery and then update the collection membership to show the collection members. Then software distribution will work.

     

    Friday, April 4, 2008 3:44 AM

All replies

  • Hey mate Smile

    First off, do the computers appear in your collection?

    This is what I use to make queries from AD Security Groups (Yes theres meant to be 2 \\ between DOMAIN and GROUP)

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SystemGroupName = "DOMAIN\\GROUP"

    In your 'All Active Directory Security Groups' collection, do you see the group you wish to query?

    If either of these isn't happening then you may be having some discovery problems, or perhaps some methods aren't enabled that you require. Let me know about those and we'll see what we can find next! Smile

    -Dan
    Thursday, April 3, 2008 1:08 AM
  • Hi Dan, thks for the response. I'm new to SCCM so might well be doing something dumb, so plse bear with me.

     

    Yes, I do see the group I wish to query in the 'All Active Directory Security Groups' collection.

    No, I don't see the computers in my collection.

     

    To my unskilled eye the query I am using is the same as yours but I am not getting the results I expect.

     

    Regarding Discovery Methods I now have all enabled with the exception of Network Discovery which I ran initially and have since disabled.

     

    If I run a query just to select all computers and include systemgroupname as one of the attributes to report, I get a full list of computers but no values populated for systemgroupname.

    So I guess I have missed something somewhere that would collect/populate this attribute.....?

     

    Any further insights most welcome

     

    Neil

     

    Thursday, April 3, 2008 4:14 PM
  • How often do you run discoveries? Specifically the AD System/System Group ones.

    If you add a computer account into an AD group, SMS won't know about the change until another AD System Group discovery runs. Everything works on 'polling'.

    I have my main discoveries set very low (10min) because of the business need (and we're a small site with only 350 clients). For some SMS Admin reactions to polling times..

    http://www.myitforum.com/forums/m_176512/mpage_1/key_/tm.htm#176573

    It might pay to check the log file (adsysgrp.log) and see what is happening in there too.

    Feel free to post logs/screenshots too if you want.

    -Dan

    Thursday, April 3, 2008 9:38 PM
  • If you are using Active Directory Security Group discovery, then it will not work. That method is only supported for deploying to user groups, not computer groups.

     

    You need to use Active Directory System Group Discovery to discover the system groups the client is a member of. You can then create collections out of those. The collection members *will* be displayed with this method, so you have to do discovery and then update the collection membership to show the collection members. Then software distribution will work.

     

    Friday, April 4, 2008 3:44 AM
  • Yep, that did it Wally. All working now. Although I think the documentation could be clearer

     

    Thanks to you and Dan for your assistance.

     

    best regards

    Wednesday, April 9, 2008 10:54 AM
  • You might offer that suggestion in the Documentation forum so the docs team is sure to see it :-)

     

    Glad it is working for you however.

     

    Wednesday, April 9, 2008 4:53 PM
  •  

    So to make it clear even for the slowest of us:

     

    If your collection displays the members of a group software distribution to those members will work.

     

    If you collection displays just the group name it will not.

     

    Right?

     

    Morgan

    Wednesday, September 17, 2008 8:52 PM
  • Yes.

     

    Thursday, September 18, 2008 8:35 AM
  • Do you also need to run Active Directory System Discovery along with Active Directory System Group Discovery, to be able to retrieve the computer accounts that are members of the groups? I just started working with SCCM 2007 a few weeks ago have been reading about the discovery methods and find the topic very confusing. Thanks.
    Thursday, February 23, 2012 4:45 PM