locked
Applications / Security Group Membership RRS feed

  • Question

  • I have a few tasks i would like to automate in my task sequence on MDT 2010 update 1. Any feedback or recomendations would be helpful...

    Applications

    I have a set of applications which are common to both laptops and desktops. These are deployed using an application bundle. I would like to be able, to do one of two things

    1. Have the ability to choose additional application as part of the wizard
    2. If possible, have MDT detect the machine is a laptop, either by WMI or computer name (all laptop names end with the letter "L"), and deploy a set of applications if these conditions are met

    Security Groups

    We also have a couple of security groups that desktops and laptop needs to be a member of, this is currently a manual task and therefor prone to be missed. As above, is it possible for MDT to recognice the machine is a laptop or desktop then add the computer account to a pre determined list of security groups

     

    Thursday, January 27, 2011 11:48 AM

Answers

  • Hi, there are many ways to do this. I'll show you how to do it Task Sequence or use the customsettings.

    In the following example, I add your applications and security group using the cs:

    [Settings]
    Priority=ByDesktopType, ByLaptopType, Default
    Properties=MyCustomProperty

    [ByDesktopType]
    Subsection=Desktop-%IsDesktop%

    [ByLaptopType]
    Subsection=Laptop-%IsLaptop%

    [Desktop-True]
    Administrators1=Domain\Helpdesk1
    MandatoryApplications001={eb94a413-e4e0-46ec-a0ba-4137a6d8bb29}

    [Laptop-True]
    Administrators1=Domain\Helpdesk2
    MandatoryApplications001={eb94a413-e4e0-46ec-a0ba-4137a6d8bb29}

    [Default]
    OSInstall=Y

    But you can also do this in the Task Sequence. You can create a bundle of application for laptop and desktop then add a install application action in the properties of your TS and make a wmi query for that and use the GPO to add your security group


    Revue du Geek | Déployer Windows 7 | Améliorer les performances de Windows 7
    Thursday, January 27, 2011 3:01 PM

All replies

  • 1) Add an application to MDT.  Enable it and do NOT hide it.  Make sure the folder that the application is in is selected in your Selection Profile.  This application will show up in the wizard.

    2) MDT creates the following variables: IsLaptop, IsDesktop, IsServer (there may be a few others also).  You cna create a task in your task sequence to install the applications.  In the TAsk, in Options, you can set the Task Sequence Variable Islaptop to True.  this means it will only run the task if the variable IsLaptop = true.

    You can use the same approach as 2) to run a script to add the computer account to your security groups (Sorry, I do not have a script written for this but it can definitely be done using VBScript).


    Z
    Thursday, January 27, 2011 2:39 PM
  • Hi, there are many ways to do this. I'll show you how to do it Task Sequence or use the customsettings.

    In the following example, I add your applications and security group using the cs:

    [Settings]
    Priority=ByDesktopType, ByLaptopType, Default
    Properties=MyCustomProperty

    [ByDesktopType]
    Subsection=Desktop-%IsDesktop%

    [ByLaptopType]
    Subsection=Laptop-%IsLaptop%

    [Desktop-True]
    Administrators1=Domain\Helpdesk1
    MandatoryApplications001={eb94a413-e4e0-46ec-a0ba-4137a6d8bb29}

    [Laptop-True]
    Administrators1=Domain\Helpdesk2
    MandatoryApplications001={eb94a413-e4e0-46ec-a0ba-4137a6d8bb29}

    [Default]
    OSInstall=Y

    But you can also do this in the Task Sequence. You can create a bundle of application for laptop and desktop then add a install application action in the properties of your TS and make a wmi query for that and use the GPO to add your security group


    Revue du Geek | Déployer Windows 7 | Améliorer les performances de Windows 7
    Thursday, January 27, 2011 3:01 PM
  • Thanks for the feedback, i got this working with a power shell script that adds the computer account to specified security groups then use "

    PS Script as follows :-

    Run as follows :- powershell.exe -executionPolicy RemoteSigned "%SCRIPTROOT%\ADSecurityGroupAdd.ps1 "[security group name to add machine account to]""

    # Function Find Distinguished Name
    function find-dn { param([string]$adfindtype, [string]$cName)
        # Create A New ADSI Call
        $root = [ADSI]''
        # Create a New DirectorySearcher Object
        $searcher = new-object System.DirectoryServices.DirectorySearcher($root)
        # Set the filter to search for a specific CNAME
        $searcher.filter = "(&(objectClass=$adfindtype) (CN=$cName))"
        # Set results in $adfind variable
        $adfind = $searcher.findall()
       
        # If Search has Multiple Answers
        if ($adfind.count -gt 1) {
            $count = 0
            foreach($i in $adfind)
            {
                # Write Answers On Screen
                write-host $count ": " $i.path
                $count += 1
            }
            # Prompt User For Selection
            $selection = Read-Host "Please select item: "
            # Return the Selection
            return $adfind[$selection].path
        }
        # Return The Answer
        return $adfind[0].path
    }
    $GroupName = $args[0]
    #write-host $GroupName
    $Computer = get-wmiobject win32_computersystem
    $ComputerDN = find-dn "computer" $Computer.name
    $ADSecGroupDN = find-dn "group" $GroupName

    #write-host $computerdn
    #write-host $ADSecGroupDN

    $Group = [ADSI]($ADSecGroupDN)
    $Group.Add($ComputerDN)
    #Members = $Group.member
    #Group.member = $Members+$ComputerDN
    $Group.Setinfo()

    Tuesday, February 8, 2011 1:24 PM
  • i have two more questions related to this query.

    I am still not able to display a list of applications to manually choose an app as part of the wizard. I have included a copy of my customsettings.ini so if anyone can spot my mistake please let me know.

    I also have different laptops models, that need different software. So is there a way i can have MDT detect the model of the laptop, then deploy a specific app if there is a match

    customsettings.ini

     

    [Settings]
    Priority=Default
    Properties=MyCustomProperty

    [Default]

    SkipProductkey=YES
    SkipAdminPassword=YES
    SkipApplications=NO
    SkipBitLocker=YES
    SkipBitLockerDetails=YES

    OSInstall=Y

    SkipDeploymentType=YES
    DeploymentType=NEWCOMPUTER

    SkipUserData=YES

    SkipTimeZone=YES
    TimeZone=035
    TimeZoneName=Eastern Standard Time

    SkipLocaleSelection=YES
    KeyboardLocale=en-US
    UserLocale=en-US
    UILanguage=en-US

    ;SkipSummary=YES

    Wednesday, February 9, 2011 4:55 PM
  • anyone have any suggestions on this as i still cannot have the wizard show a list of apps and let me manually choose which ones i want to include on the build?
    Thursday, April 7, 2011 8:30 AM
  • I had this same issue - make sure your selection profile includes your applications folder.

    If my answer helped you, check out my blog: DeployHappiness. Subscribe by RSS or email. 

    Tuesday, February 18, 2014 3:55 PM