Managing Application Installs and Uninstalls with AD Groups Tied to Applications
Hi everyone,
I'm trying to come up with a way to manage application deployment and removal based on user collections that have corresponding security groups in AD. I'm using SCCM 2012 r2.
Historically, I've done the following to deploy applications: -
Create a new application, setting the user experience to install for system.
Create two device collections, one named install and the other named uninstall.
Create two application deployments, one to install (targeted at the install device collection) and one to uninstall (targeted at the uninstall device collection).
Add device to install collection to install application.
To uninstall the application, remove the device from the install collection and add it to the uninstall collection.
That has all been working great but moving forward, I'd like to manage deployment based on user collections. So I've approached this as follows: -
For installations, create a new application setting the user experience to install for user.
Create a security group in AD that corresponds to the new application.
Once SCCM synchronizes with AD and the new group appears under SCCM users, create a new user collection making the security group a direct member of the collection. Set the collection to update incrementally.
Create a required installation deployment for the new application and target it at user collection for the application.
Add a user object in AD to AD security group for the application.
Once everything syncs, the user logged on to a workstation gets the application. Up to here, everything works well.
For uninstalls, I've created an AD security group called Application Uninstalls and made domain users a member.
Once this synchronizes with SCCM, I've created a new user collection called Application Uninstalls and made the security group a direct member of the collection. Again, the collection is set to incremental update.
Create an uninstallation deployment for the new application and target it at the 'Application Uninstalls' collection.
The idea behind the uninstallation is to take advantage of the 'application installation deployments take priority over uninstallation deployments'. Because every user is a member of domain users, if they are not a member of the relevant security group to
have an application installed, then the application is automatically uninstalled. The trouble is, if I remove a user from the AD security group where they get the application, the uninstall deployment isn't kicking in like I would expect and removing the application.
Any thoughts? Is this a logical approach or is it flawed?
Any input appreciated!
Bazzaroo
if I'm reading what you are saying correctly, then has the user logged out and then back on? Since the deployment is to the collection based on group membership, the client would not know that the user is no longer a member of the targeted collection until
the user token has been updated, which happens at log off/log on time.
It does depend on the collection membership - if the collection membership is to the user group, so that the collection member shows the use group, then the log off/log on would be needed.
If the collection membership list displays the individual users, then obviously that collection needs to be updated, AND new policy retrieval at the client so that it knows that it is no longer targeted.
Then, you need an Application Deployment Evaluation Cycle, which is when the client checks to see if apps that are supposed to be installed are.
Wally Mead
Similar Messages
-
Flash installer and uninstaller stays in processes and keeps laptop form going to standby
i have a fujitsu lifebook t-series 4020d and any time in i have to install flash player or inunstall it it stays in processes and makes it so it won't go into standby till you go to task manager and end the process. my brother has the same laptop and the same thing happens to his. just seeing if this bug was reported. hopefully this can be fixed because it is kinda anoying with all these updates that seem to happen.
oh sorry it is winxp tablet edition and firefox 3.6.18. this is not a browser issue though it is a flash installer/uninstaller issue. it should never stay in the processes after it is finished i got the installer and uninstaller from this web site and it does updates when the comptuer is restarted. after the update is done it stays in the processes and when you try and put comptuer to sleep, standby, even shutting down and restarting you have to go to task manager and en the flahs installer it used. if you try to standby,sleep,restart,shutdown it don't do it. as soon as you end the flash process it goes to standby,sleep,restart,shutdown if that bmakes sense. it hangs on the installer.
-
how do i manage multiple users and devices with one apple id without everything showing up on every device?
How to use multiple iPhone, iPad, or iPod devices with one computer
-
Where can I find Installer and uninstaller log files in JSE 6?
Where can I find Installer and uninstaller log files in JSE 6?
For the installer log file, search for Sun_Java_Studio_Enterprise_6_2004Q1_install, or some portion of that.
To find Java ES component product log files, search on Sun_ONE.
You can also search for the timestamp that is part of each log file name. It is of the format MMddhhmm (Month/day/hour/minute)
Refer also to the Troubleshooting chapter of the Installation Guide for additional details on reports and log files used by Java SE -
Run installation and uninstallation program as 32 bit process on 64 bit clients
A silly question but need some more explanation...Can anybody elaborate what this option means and in what conditions this can be used? Does this has to checked all the time?
Run installation and uninstall program as 32-bit process on 64-bit clients
: Use the 32-bit file and registry locations on Windows-based computers to run the installation program for the deployment type.Check out Jason's great post on this topic:
http://blog.configmgrftw.com/configmgr-2012-and-32-bit-application-installers/
Jeff -
MSI Package Software Installations and uninstallations by group policy and sccm
Hi,
I have a domain comprising approx. 30 ADCs, 5000 clients and 50 OUs. Our developers have created a c# Program for fetching some information from client machines and displaying them on their
screen on bootup (presence of 2 particular softwares, antivirus presence and its update date, OS patches updation etc... ). This program(.msi) and .net framework 4.0 is required to be pushed to all client machines. We have SCCM server through which we can
push software to be installed on clients. There are no. of ADCs for controlling different sites and OUs. Now I need to push this msi and .net framework to all clients. Dotnet framework I pushed from SCCM & it is successful.
Till today I have pushed this .MSI package using Group policy software installation settings using a local sharepath & sysvol.
In Local Share path , MSI source is availbale at only one ADC and all clients contact this adc only to install software and its taking very long time to boot.
Using Sysvol share path , MSI Source is available at All ADC and All Clients Contact their Site's ADC to install software.Only Win 7, win 8 machines are getting install and software is not able to install on XP and vista machine. What might be the
problem for xp machine getting it from sysvol path?
The error for XP machines is that Sysvol path is not accessible/ source is not available.
Now I need to have some other fullproof method to apply it. How I need to push this .MSI packages to all sites (ADCs) in my child domain from my PDC.
I want to know the steps & methods for installing & uninstalling this .MSI package using Group policy and SCCM as well.
Thanks for replying...Hi,
Based on your description, I want to confirm whether we have more than one domain. If we have more than domain, it is suggested that we can push the
MSI package from each domain.
Regarding how to use Group Policy to remotely install software, the following article can be referred to for more information.
How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
http://support.microsoft.com/kb/816102/en-us#method1
In addition, you also mentioned how to use SCCM to do this, in order to get better assistance, we can ask help in the following SCCM forum.
System Center Configuration Manager
http://social.technet.microsoft.com/Forums/systemcenter/en-US/home
Best regards,
Frank Shen -
[Solved] Several installs and issues with DHCP issue every time.
Edited: more concise information!
Hi folks,
I was using Arch fine for months but decided to reinstall it fresh at the new year, but since then I have been plagued by connection issues. I install Arch and follow many of the tips found in these Wikis to set it up how I like then install preload and readahead.
Post-Installation Tips
http://wiki.archlinux.org/index.php/Pos … ation_Tips
- LCD filtered fonts
- Disable IPv6 (I use Chorus/NTL and they have a tip for improving Firefox that disables IPv6, so I think that this is not to blame)
Laptop
http://wiki.archlinux.org/index.php/Laptop
- Battery state monitoring utilities (acpi)
- Laptop-mode-toold
- Powernowd
Maximising Performance
http://wiki.archlinux.org/index.php/Max … erformance
- Swapiness
- Mount /tmp to RAM
My internet connection works fine, even when rebooting, but later I turn on my computer and WICD or networkmanager fails on "obtaining IP address. I really think that there is something in one of these tips that is causing this problem, but I am at a loss as to what. Like I say, I was using it happily for many months before these current issues. The only thing I did differently was systematically set up my computer with all the tips detailed above, where as before, I collected these tips over a period of time and did not do them all straight after installation. I have tried rolling back the changes and this has not fixed the issue.
I have had this issue over many reinstalls, using networkmanager or WICD and each time I was hoping that I was doing something wrong. I have an Ubuntu and work Windows laptop that both work fine, so I don.t think it is anything to do with the connection itself.
I am not sure what information you would need so I thought I would post both of these files. If you would like anything else, give me a shout and i can post it.
# /etc/rc.conf - Main Configuration for Arch Linux
# LOCALIZATION
# LOCALE: available languages can be listed with the 'locale -a' command
# HARDWARECLOCK: set to "UTC" or "localtime", any other value will result
# in the hardware clock being left untouched (useful for virtualization)
# TIMEZONE: timezones are found in /usr/share/zoneinfo
# KEYMAP: keymaps are found in /usr/share/kbd/keymaps
# CONSOLEFONT: found in /usr/share/kbd/consolefonts (only needed for non-US)
# CONSOLEMAP: found in /usr/share/kbd/consoletrans
# USECOLOR: use ANSI color sequences in startup messages
LOCALE="en_GB.UTF-8"
HARDWARECLOCK="UTC"
TIMEZONE="Europe/Dublin"
KEYMAP="uk"
CONSOLEFONT=
CONSOLEMAP=
USECOLOR="yes"
# HARDWARE
# MOD_AUTOLOAD: Allow autoloading of modules at boot and when needed
# MOD_BLACKLIST: Prevent udev from loading these modules
# MODULES: Modules to load at boot-up. Prefix with a ! to blacklist.
# NOTE: Use of 'MOD_BLACKLIST' is deprecated. Please use ! in the MODULES array.
MOD_AUTOLOAD="yes"
#MOD_BLACKLIST=() #deprecated
MODULES=(acpi-cpufreq vboxdrv coretemp)
# Scan for LVM volume groups at startup, required if you use LVM
USELVM="no"
# NETWORKING
# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
HOSTNAME="laptop"
# Use 'ifconfig -a' or 'ls /sys/class/net/' to see all available interfaces.
# Interfaces to start at boot-up (in this order)
# Declare each interface then list in INTERFACES
# - prefix an entry in INTERFACES with a ! to disable it
# - no hyphens in your interface names - Bash doesn't like it
# DHCP: Set your interface to "dhcp" (eth0="dhcp")
# Wireless: See network profiles below
#Static IP example
#eth0="dhcp"
eth0="dhcp"
INTERFACES=(eth0)
# Routes to start at boot-up (in this order)
# Declare each route then list in ROUTES
# - prefix an entry in ROUTES with a ! to disable it
gateway="default gw 192.168.0.1"
ROUTES=(!gateway)
# Enable these network profiles at boot-up. These are only useful
# if you happen to need multiple network configurations (ie, laptop users)
# - set to 'menu' to present a menu during boot-up (dialog package required)
# - prefix an entry with a ! to disable it
# Network profiles are found in /etc/network.d
# This now requires the netcfg package
#NETWORKS=(main)
# DAEMONS
# Daemons to start at boot-up (in this order)
# - prefix a daemon with a ! to disable it
# - prefix a daemon with a @ to start it up in the background
DAEMONS=(preload syslog-ng hal wicd @powernowd @laptop-mode @fam @alsa @sensors @readahead-list)
/etc/resolv.conf
# Generated by dhcpcd
# /etc/resolv.conf.head can replace this line
# /etc/resolv.conf.tail can replace this line
Thanks for your help,
Scott
Last edited by ScottArch (2010-02-14 12:30:25)Hey Scott!
I don't know if it is helpful in any way but I have a similar problem with my desktop PC.
I have two ethernet controllers installed and somtimes I had a Ip address assigned and sometimes I didn't.
One which is connected to the router and a 2nd one I use sporadically to connect additional computers.
The dhcpcd would fail to load even if I followed steps suggested from other forum members.
My temporary fix was to run:
# dhcpcd
manually.
If this helps you might consider adding "dhcpcd" at the end of
/etc/rc.d/network
I know it's not really a fix but it helps me to get a working connection whoch otherwise would fail - or work if lucky but i don't like lucky with network/internet ^^ -
Group based on value range and order with in group
Hi All,
I have a scenario like to group record set based on a value set.
Example.
Table data_table has 10 columns of which one column grouping_col can have value from 10 - 100
i have to retreive a report with multiple order by clause with a precondition that
record having grouping_col having 10-50 should be processed first then,
record having grouping_col having 50-60 should be processed next and then so on untill 100.
Is there a way to do this without union funcitonality.Please read the SQL and PL/SQL FAQ:
SQL and PL/SQL FAQ
especially the second question regarding how to post a question on the forums. -
Oracle 10g standard edition installation and problems with logon (help pls)
I installed 10g standard edition, however I got the following two messages during installation:
1) The host IP address can not be determined
2) Missing or Invalid password ...
Eventhough I unlocked all the passwords during install (tiger/scott, sys, system, etc) I can not logon now with none of them ("invalid username/password: logon denied"). I also get "ORA-12170: TNS: Connect Timeout Occured" when trying to lgoon with my email addr and password used for installation.
Please help, this is frustrating. Thx!
P.S> Do I need to input anything in the "Host String" box ?Chances are
1) you are using WIndows of some sort;
2) your machine does not have a static IP address (you are using DHCP);
3) you have not installed the loopback adapter, as desrcibed in the installation document.
You may want to review the Oracle Database 10g (release whichever you are using) "Installation Guide" manual for your operating system again. I think you missed a step. -
DI Server installation and connection with PHP
hello,
We've installed DI Server, started it, but the WSClient file comming with the installation doesn't work.
a) Is the IIS needed for the DIServer to work?
If not, what do I need to do to be able to connect to the DIServer. There's no WSDL file with the DIServer.
b) Do I need to create my own WSDL file and put it on a Web folder?
I say this because I'm trying to connect with PHP to the server and PEARClient from PHP needs an URL (normally the WSDL file) to connect. It's just too confusing and there is no much help in the documentation.
thanks and greetings,
Guillem Barnolas.
www.softime.esDI server provides you a simple COM interface that
accepts SOAP commands and returns you SOAP reply.
The format of these SOAP messages is in the SDK
documentation.
You should build your own web infrastructure on
top of this mechanism. -
ASA5505 and AD with security group
Hello,
i have configured ASA5505 with VPN and with AAA from Active Directory. How i can define Security Group? Now everyone from domain can connect to VPN tunnel. But i need specify users in Security Group in AD.
regards
TomasHi Tomas,
Please see the document /docs/DOC-9361 In this example, you have to replace "radious.25" with "Idap.memberOf"
Let us know if you have any more questions.
Thanks,
Cisco Moderation Team -
How do i manage multiple iPhone and iPads with iCloud?
We have one mac book and have got our ipads and ipones registered using one account. How do we have it so my husbands iphone iclouds with his ipad and my iphone with only my ipad?
Here you go:
http://www.apple.com/icloud/setup/ -
Managing JAVA JDK and JRE with Package Management in Solaris 11.1
I want to manage Java JDK & JRE in an Solaris environment using Package Management I'm currently running Solaris 11.1 in a VMWare host. My current latest Java release is JDK1.7.0_07 and JRE1.7.0_07. I want to upgrade to JDK1.7.0_17 & JRE1.7.0_17 using Package Management. I've tried on several occasions to upgrade to latest release of Java but I have not been successful. Each time I try using the Package Management GUI or use command line they appear to be successful but the new release does not show.
What could I be doing wrong?
ThanksI also learned that the READMEs for the following patches in My Oracle Support also describe the downgrave process:
Patch 18362676: JAVA 6 DOWNGRADE INCORPORATION FOR ORACLE SOLARIS 11.1.15.4.0 AND 11.1.16.5.0
Patch 18362686: JAVA 7 DOWNGRADE INCORPORATION FOR ORACLE SOLARIS 11.1.15.4.0 AND 11.1.16.5.0
-- Alan -
How to share/manage UWL/KM and collaboration with TWO consumer portals?
I'm working with a customer who is configuring a large enterprise landscape consisting of 2 federated portals with the two consumer portals sharing info.
Federated portal A is the primary corporate portal with respective producers.
Federated portal B is a regional producer portal with multiple back end producers.
IF they wish to configure UWL, I realize they can do this on each consumer portal. But how can someone logging into portal A see all their work items from UWL on A and UWL on B without creating two iviews (one for each UWL)? I bascially want to be able to share the UWL from one consumer portal to another. I haven't seen this in any docs, though. Anyone have experience with this?
Likewise, what is the best way to share collaboration rooms and other related services? Should they be configured on the consumer side of each federated portal, and if so - the same question arises - how to share the collaboration data between the two consumers.Hi David,
we faced your first issue some months ago and found out that there is only the possibility to use 2 UWL iViews.
Maybe this has changed in the last releases.
HTH,
Carsten -
Problems with Installation and then with the direct links...
Well.. the problem is that I tried to install flash player, and in the middle of the Download it gets to 47% and says: "The download time has expired" and closes the download and open me in the web explorer to a troubleshooting page... I go to the error selecting the issue of the download and the solution is that I have to download the Flash Player from another page with direct links of the Player and there's the thing... The links are not working...
The page says "The connection was reset". I hope that you can help me with this problem.What operating system and browser would you like to install Flash on?
Maybe you are looking for
-
I have a new company iphone. When setting it up I used a current "family" apple id I created for the children's itouch's. I realized after the fact that all of their contact/content dat is syncing to my business phone. I created a new apple id for th
-
Sending mail attachment as XML file
Hi Experts, I have a XML in an ITAB. I want to send this data as a mail attachment, any body help, if any one have sample code please send me. Thanks, Regards Venkat
-
Variable Offsets are working only partially
Hello experts, at first I thought that an offset I placed on a variable for 0FISCPER was not working. I am trying to do a report which gives me the value of couple of Key Figure "Earnings", for a certain Fiscal Period and this same Period but for the
-
How to review implication of database character set change on PL/SQL code?
Hi, We are converting WE8ISO8859P1 oracle db characterset to AL32UTF8. Before conversion, i want to check implication on PL/SQL code for byte based SQL functions. What all points to consider while checking implications on PL/SQL code? I could find 3
-
JDK with SQL Developer 3.2.20 Not Latest Version 6 Update
SQL Developer Team, Why doesn't the new version 3.2.20.09 have the latest JDK 6 Update 37. It still has Update 35 which has security vulnerabilities. Also, the download web page here http://www.oracle.com/technetwork/developer-tools/sql-developer/dow