none
Automatic SCCM Agent Push Install to members of an AD group

    Question

  • In our organisation we have some computers which should not have the SCCM client installed on them (production based). These are often mixed in with other computers within an OU. Is it possible to have a discovery method which instead of pointing to an OU (which in this case would include the computers which should not get the client) points to an Active Directory group? Within this group we would put the computers that we want the client installed on.

    It seems like SCCM is tailored to install the client on all machines and has no way of excluding except by OU or by site boundaries (e.g. subnet). Neither is feasible for our setup. The only alternative we have come up with is to use GPOs to do the deployment. We can have a group of all computers (which we populate via script daily) which has apply group policy right. We then have another group where we add computers which should not have the client. This group has deny apply group policy right so they are blocked from the GPO and therefore do not get the client. One major drawback with this approach is the computers do not take their group membership until a a reboot and as the app is an assigned app it needs a reboot anyway, not very convienient.

    I realise our organisation might seem a bit strange but without an effective way of deciding which clients should/should not get the client GPO seems the only way. This seems like a waste as it should be possible to use the auto push within SCCM.
    Wednesday, June 17, 2009 5:56 PM

Answers

  • You just right click the collection and select Install Client. This will initite a client push in the objects in that collection only.
    Kent Agerlund | http://agerlund.spaces.live.com/blog/
    Wednesday, June 17, 2009 7:25 PM
    Moderator
  • That's right


    Kent Agerlund | http://agerlund.spaces.live.com/blog/
    • Marked as answer by silo999 Friday, June 19, 2009 4:08 AM
    Wednesday, June 17, 2009 7:53 PM
    Moderator

All replies

  • Hi,

    You can add the computers to the Excluded list on the site server - http://technet.microsoft.com/en-us/library/bb693996.aspx
    Kent Agerlund | http://agerlund.spaces.live.com/blog/
    Wednesday, June 17, 2009 6:12 PM
    Moderator
  • Hi, would this registry hack need to be on the primary and all secondary site servers?

    It seems strange the only way to exclude computers is a registry hack. If I follow this route I would need to script the collection of group memberships to get the list of machines which should be excluded. With this list then dump them into the registry key, I presume I would not need to restart any services or anything.

    I'm not really sure this is offering me any more than the GPO installation method. Is it not possible to just discover computers belonging to an AD group?

    Thanks in advance!

    Wednesday, June 17, 2009 6:21 PM
  • Wednesday, June 17, 2009 6:36 PM
  • The AD system group discovery is not going to help in this case. I would create a collection design where I could run Client push based on collection membership. By doing so you can control which computers installs the client.


    Kent Agerlund | http://agerlund.spaces.live.com/blog/
    Wednesday, June 17, 2009 6:44 PM
    Moderator
  • If I create a collection membership which has only members which should have the client, how do I push the agent to just that collection? At this point there is no SCCM client installed so I cannot push a software package out. Is there some clever way of setting the auto client push to work on a collection rather than the AD discovery method?

    Am I making any sense?

    Chris.

    Wednesday, June 17, 2009 7:23 PM
  • You just right click the collection and select Install Client. This will initite a client push in the objects in that collection only.
    Kent Agerlund | http://agerlund.spaces.live.com/blog/
    Wednesday, June 17, 2009 7:25 PM
    Moderator
  • OK, but I will have to do this manually every time, right?
    Wednesday, June 17, 2009 7:27 PM
  • That's right


    Kent Agerlund | http://agerlund.spaces.live.com/blog/
    • Marked as answer by silo999 Friday, June 19, 2009 4:08 AM
    Wednesday, June 17, 2009 7:53 PM
    Moderator