locked
Migration of advertisements targeted at an Active Directory security group RRS feed

  • Question

  • Hi, we are in the early stages of migration our environment from SCCM 2007 to SCCM 2012 SP1.

    Our primary method of deploying user-optional advertisements is by adding user accounts to Active Directory security groups, and then building the collection as follows:

    select SMS_R_USERGROUP.ResourceID,SMS_R_USERGROUP.ResourceType,SMS_R_USERGROUP.Name,SMS_R_USERGROUP.UniqueUsergroupName,SMS_R_USERGROUP.WindowsNTDomain from SMS_R_UserGroup where UniqueUsergroupName in ( "CORP\\APP_Adobe Acrobat 9 Professional" )

    Then, the end-user goes to Control Panel -> Add or Remove Programs -> Add New Programs, and picks the apps they want to install.

    SCCM 2012 appears to be quite different.  Now, it appears that the user needs to fire up "Software Center", and click on "Find additional applications from the application catalog".  I'd rather not need to re-train 10,000 users.  Is there a way to have the available apps show up in Add New Programs, the way that everyone's used to seeing it?  As a work-around, I may create a machine-targeting advertisement that will show up in Add New Programs that will inform users of where they need to go.

    I have a 2nd issue as well.  All of our administrative accounts (accounts used by the Help Desk and Deskside technicians) end with a "$", so Bill Smith who works on the Help Desk has an account SMITHB$.  If he logs in using a "$" account, the Application Catalog crashes with a generic HTTP 400 error.  None of our administrative personnel can use the App Catalog!  I am aware that machine accounts end with a $-sign... is this causing confusion for SCCM?

    Thanks,

    Nick.

    Monday, June 10, 2013 4:33 PM

Answers

  • The migration to 2012 is complete, and it went pretty well.

    For point #1, I created a machine-targeted deployment called "_Where did my applications go READ ME" that shows up at the top of the pick list in ADD NEW PROGRAMS.  Some end-users figured it out by themselves, while others called the Help Desk.  I think word is getting around pretty well.  I did get some questions as to why we didn't put out a broadcast e-mail to inform people.  I felt that it would generate more calls to the Help Desk than it would prevent.

    Point #2 was determined to be a non-issue as discussed previously.

    A quick point about 2007 secondary site to 2012 distribution point migration... install CU2 !  Package status on my migrated DPs was showing as unknown until we installed CU2.

    NIck.

    Saturday, July 20, 2013 2:02 PM

All replies

  • Some good news on point #2.

    IIS logs were showing: HTTP error 400 – RequestLength

    I dramatically chopped down the number of security groups that the account is a member of,

    I adjusted the following 2 IIS settings, increasing the defaults by 100x: IIS Manager -> <server name> -> IIS, Request Filtering -> Edit Feature Settings -> Maximum Query Length & Maximum Query String.

    Which of the two above adjustments was the key, I don't know yet, but this defeats an issue that I would consider to be a show-stopper.

    Nick.


    Monday, June 10, 2013 8:34 PM
  • On Point 1, user targeted deployments - these will eventually show up in the Software Center when User Policy retrieval has occured, but they are instantly available from the web catalog as you have found.

    On Point 2... $ in usernames!? that sounds like it can only be a bad thing and I'd expect some pain from all manner of technologies.


    My Personal Blog: http://madluka.wordpress.com

    Tuesday, June 11, 2013 11:20 AM
  • More on point #2...

    The "$"-suffix on the admin account was not the issue.

    I found that I was a member of a nested Active Directory Security group, which had the effect of adding me to another 400 security groups (as determined by running GPRESULT).  This group was a legacy group that was no longer needed, so I took myself out of it.

    Now it works like a charm.

    Solution: housekeeping.

    Nick.

    Tuesday, June 11, 2013 4:29 PM
  • The migration to 2012 is complete, and it went pretty well.

    For point #1, I created a machine-targeted deployment called "_Where did my applications go READ ME" that shows up at the top of the pick list in ADD NEW PROGRAMS.  Some end-users figured it out by themselves, while others called the Help Desk.  I think word is getting around pretty well.  I did get some questions as to why we didn't put out a broadcast e-mail to inform people.  I felt that it would generate more calls to the Help Desk than it would prevent.

    Point #2 was determined to be a non-issue as discussed previously.

    A quick point about 2007 secondary site to 2012 distribution point migration... install CU2 !  Package status on my migrated DPs was showing as unknown until we installed CU2.

    NIck.

    Saturday, July 20, 2013 2:02 PM