What is this all about ?

 I have seen quite a few times posts on forums about this seemingly simple question:
‘I use Sms / Sccm to deploy packages. Should i deploy to the users or to the machines ?’
 

Deploying to user Collections ?

 
It is usually ‘easier’ for helpdesk and yourself to target users, as those are the persons that will use the software, they are in the address book and you meet them at the coffee machine. They also usually remember their name, while not their computer name.
 
The problem arises when you assign software to "roaming users". As long as they keep working on only one machine, all is well, you target the user and the software deploys to this user, which means to his/her machine.
 
Once they start using other machines, the software that you assigned to them will start installing on those machines, and the user won’t be able to stop it from doing so. Since users tend to consider their machine as a personal item, they won’t log on another computer unless they have a problem with their own, or they really don’t have a choice and need to quickly check something. This is usually the worst time for deploying software for 30 minutes…
 
Another problem is that a user which has a license for a product might use his account to log on to a colleague’s computer so that he can also ‘benefit’ from the software.
 

So why not Deploying to Machine Collections then?

 
Well, as stated earlier, it is not that easy to remember which machine is linked to which user (unless the machine name is the same as the user name). If your boss requests a report to see ‘who is using Visio’, a list of computers will probably not be what he’s looking after.
For a lot of applications there are duplicate groups: user group for permissions to access the software, computer group to get the packages installed.
 
 

Let’s be creative ! What about putting a user in a group and still target his computer ?

 
I want to be able to target users and user groups as this is much easier.
I don’t want software to be deployed to all computers automatically when the user logs on, I want this only to occur on the user’s primary computer(s).
 Here is how to proceed
 
 1. In Active Directory, populate the managedBy field of your computers so you get a link between the computer and the computer ‘Owner’
 (this can be done manually or via script)
 
2. Sccm 2007 allows you to add specific active directory attributes to your system or user discovery (a).
At the Active directory System discovery level I add the attribute managedBy (so that the user that ‘Manages’ the computer will appear.
This property is the full DN of the user (dn=user,ou=myou,dc=mydomain,dc=com)
 
3. In order to map the DN that we get from the managedby property to a user, we need to add the attribute distinguishedName
at the Active Directory User discovery level. (Note that the attributes are Case Sensitive !)
 
4. make sure AD discovery runs for both systems and users (check that the properties managedBy and DistinguishedName appear in the properties)
 
5. Create an Active Directory global group that will host the users for which you want to target the software.
(let’s call it sms_application for test purposes)
 
6. Create a collection based on this (note that you won’t be able to use the query editor for this type of query)
 
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System INNER JOIN SMS_R_User ON
SMS_R_User.distinguishedName = SMS_R_System.managedBy  where
SMS_R_User.UserGroupName like "MYDOMAIN\sms_application"
 
(you will need to update the MYDOMAIN with your domain name)

7. Add users to the Sms_application group. The linked computer(s) should now appear in your collection and will receive the assigned packages. Note that if the user has more than one computer, each will be member of the collection.

 
I know that the ‘big’ part of the process is to update the ManagedBy field in AD. In my environment, I had the Description field being used by helpdesk to track the computer to user association. I used a Powershell script to update this.
If someone wants i can publish it here as an example
 

What advantages do I get from this ?

 
1. I can now link existing security groups to software deployment.
Let’s say that users that belong to security group ‘MydomainSAP’ have access to Sap. Of course, without the client being installed, this is useless. Until now, I created a global Group in AD, put the computers inside and a collection based on AD query to deploy the software. Once a new user enters the company, helpdesk has to add the user account to the permissions group and the computer to the distribution group. Now i can target the security group directly, all the helpdesk has to do is manage this group, and link the user to the computer in AD. Bonus: i am now sure that any user that has access to SAP has also access to the client and if not, they won’t get it deployed.
 
2. If a user receives a new computer, the only thing i have to do is add the user in the ManagedBy field on the computer. Assigned software deployment will take care of the rest.
 
3. I can use the Active Directory attributes of the user to create my collections.
 
A few examples ?
 
  • A new DST patch is to be applied to only users in Australia. Easy ! I can now use the Country field of the user to create my collection (or at least my group).
  • I know that Exchange store1, storage group2 on server EXCH01 will be put offline for a check tonight. Why not take the opportunity to install an add-in to the Outlook client only for those users at the same time, since they won’t be able to use it anyway ?
  •  By the way, wouldn’t it be nice to send them a mail in advance so they know what’s happening ? All I have to do is mail-enable the user group being targetted by the collection, and send the mail. How would i do that for a group of computers ??
  • A group of users needs to bypass the proxy for a specific address that is not published in Dns. I can use the same group to allow proxy override at network level, deploy a different group policy, and force an entry in the computers’ host file.

Limitations

The ManagedBy attribute is not available until the computer is added to the domain, so this cannot be used during OS distribution. I will check if it’s possible to update the field in a Task Sequence so the computer will get the applications quickly after install. I also need to test if this is reset when a computer is resinstalled and joined back to the domain

If the user has access to an application that requires a license it would be better to use a different approach or not assign the application and let the user install it on the computer of his/her choice. One alternative would be to create mapping of Primary/secondary computer based on computer properties, but this add a lot of complexity to the solution.

 

Conclusions

As you see the benefits can be very interesting. Besides this, you don’t loose anything ! You could very well use this type of collections for normal situations, then use computer collections for Shared computers, Softgrid (i mean App-v) or Citrix / TS for Kiosks, etc.

There is no solution that fits every situation, this one fits very well in my environment but might not be suited to yours.

So as always, Test, test, test ! This is simply a "proof of concept", and i don’t use it in production for the moment,
but i hope it will be usefull for you or give you other ideas of what you can do with sms/sccm.

(a) Note that some tools are available for Sms 2003 extended AD discovery that would allow you to get the same results.

Advertisements