Configuring AD groups to be targets of Software Distribution

  • Article

So, Michael Greene, an Account Technology Specialist out of MN for Education sent me the following SMS tip that you might find useful. Pretty nice as it allows a way for users of SMS to initate software distribution simply by adding machines to AD groups which are targets of SMS collections which would have Advertisements targeted to them. For example, you could have a computer group called "Adobe Acrobat v6 Machines" where if you add machines to this group, those machines will install Adobe Acrobat...

GUEST BLOGGER: Michael Greene, Technology Specialist, Microsoft

A common question I hear from customers is how to build a collection in SMS that is based on a group in Active Directory. The process is easy once you have the right things in place.

* Create the group, put at least one managed machine in the group

* Run AD System Group Discovery

* Create a new collection based on a query with criteria – simple value, system resource, system group name, is equal to, <select group name>

* Update and refresh the collection

Technically only the third step is necessary but following all four steps is a much more elegant process.

Now, let’s address “the right things in place.” First, Active Directory System Discovery needs to run to discover the computer objects and to create discovery records in SMS. Once AD System Discovery has completed, AD System Group Discovery must run. This is an important step many people overlook. Further, due to the name system Group discovery, many administrators intuitively point ADSGD at an OU where they have staged groups. Breaking out groups to a separate OU for simple delegation of security is a common practice in the enterprise.

As an old teacher of mine used to say, “Know this or you will know nothing!” Active Directory System Group Discovery should be pointing at computer objects already being discovered by SMS. ADSGD discovers extended attributes of computer objects through Active Directory. This includes OU, site, groups, etc. Think of it as looking at the “Member Of” tab in the properties of an object.

Before you build the collection, I recommend you create the group and add at least one machine that will be or has been discovered by SMS as a member. This will simplify the process of building the collection, as I will show later. Execute System and/or System Group Discovery by opening the properties page and checking the box to “Run discovery as soon as possible” and click OK. Wait a few minutes before proceeding, or use Resource Explorer to make sure the group information for the computer object has been discovered.

Now we are ready to build the collection. Create a new collection and give it a name. Create a new query-based membership rule. In the Criterion Properties set “Simple value” and press Select. Use the Attribute Class “System Resource” and Attribute “System Group Name”. In the Operator drop down list select “is equal to” and then click the Values button to see what values have already been discovered by SMS. Having a machine already in the group means the group name will already be available in the drop down so you don’t have to worry about typing it in correctly. Click “OK” to close out of the properties pages.

That’s it. Update the collection, click refresh twice, and you should see every machine in the group show up in the right side of the console. You’ll notice it doesn’t add the group itself to the collection; the individual computer objects are added so you’ll know right away if one of the machines has not been discovered (for example, if you are only discovering objects from one OU and the computer objected was located in the Computers container).

One last thing before I post. Most of my customers that build collections based on groups do so because they want to administer pushing applications from the Users and Computers MMC rather than through SMS. Nothing wrong with that but there is some additional thought that should go in to this model. The machine must of course be in the collection before SMS will know an advertisement should be included in the machine policy for a client. This means the machine must have been discovered, ADSGD must have completed with the machine in the group, the collection must update, and the client must check for new advertised programs. So if you want to put a machine in a group and have the application pushed out within 45 minutes, you need to have each of these running every 15 minutes. Each process is scheduled to run on timed intervals therefore the machine could receive the advertisement in just a few minutes, or it could take up to 45 minutes for each of the 15 minute process to complete. Chances are clients retrieving new policies will be the one you want to consider running in longer intervals, since it requires actions to complete that include some network traffic.

That’s it for today. If you are using SMS in Higher Education or a K12 district and would like to share your SMS best practices, contact Kevin to post on this site! Thanks.