Monday, June 22, 2009 Update – Fellow Deployment Guy Daniel Oxley pointed out to me that this is much more useful if you can pass in an optional username and password. So I have modified the post and the script to allow that. Please note the changes in the function parameters to accommodate this.
It has come up a few times where someone has requested taking actions in a Task Sequence based on the values of attributes on the computer object for the computer in Active Directory, like the computer’s OU or whether the computer is a member of an Active Directory Group. So I created an MDT User Exit script to set properties based on such attributes.
This User Exit script, ComputerADAttributesExit.vbs, has three main functions. Each can be used independently:
- The SetComputerADProperties function will set some or all of the following properties: ComputerDN, ComputerDomainShortName, ComputerDomainDNSName, ComputerForestDNSName, ComputerSiteName, and ComputerOU. It’s doing it with calls inside the function like oEnvironment.Item("ComputerDN") = strComputerDN. The variable ComputerADProperties (shown below) set in CustomSettings.ini is really a throw away (not needed).
- The SetComputerGroupsList function will create a ComputerGroups list item which will contain the distinguishName of each group to which the computer object belongs. This is similar to SetComputerADProperties in that the list item is created in the function code.
- The TestComputerGroup function will return True if the computer is a direct member of the AD group specified in sGroupDN. Otherwise the return value will be False. Using this function calls SetComputerGroupsList. In this case the property like InGroup_GroupName shown below is being set directly in CustomSettings.ini like a standard User Exit property assignment.
Below is a sample CustomSettings.ini show the use of all three:
Properties=MyCustomProperty, ComputerADProperties, ComputerGroupsList, InGroup_GroupName
If using a username and password, the username should be of the form: domain\userid. If you want to use variables for the username and password, they can be used as well. For example, if you want to use the MDT DomainAdmin variables in ComputerADProperties it would look like this:
For using the ConfigMgr Network Access Account it would look like this:
To not use the username and password (current context), pass those parameters as blank:
The properties set by the User Exit script may then be used as conditions in the Task Sequence.
This post was contributed by Michael Murgolo, a Senior Consultant with Microsoft Services - U.S. East Region.