Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

User-based Software Delivery

Updated: 09 Sep 2009 | 8 comments
rpoag's picture
rpoag
+4 4 Votes
Login to vote

The introduction of Altiris 7 has brought some new and exciting features with it. One of those features is a much improved software delivery system which allows for user based software delivery.

Our idea was to install software on people's computers based on the primary user of the PC. We could more easily automate installs as well as uninstalls this way. We were looking for a way to easily create groups of users which was also easy to maintain and authoritative. Since we are using Active Directory we have the option to import the structure and deliver software by OU. This is not a bad solution at all assuming the software title in question does not traverse users in multiple OUs, but if it does the setup can start to get tedious. It made more sense to us to use security groups to handle this with a group corresponding to each software title.

Luckily there is an option to import security groups from AD into Altiris. The problem with the supplied method is that it requires adding the desired groups one at a time. Again this is fine if there are just a few groups but I do not think many environments have only a few software titles, therefore the process is rather tedious and requires adding and removing groups which are no longer needed.

Ultimately we settled on putting all the groups under a single OU in AD and utilizing the ASDK to import those groups. For us putting the groups in AD makes adding and removing users simpler since every admin has the AD tools installed. This could also be helpful if there is resistance from people with regard to learning the console.

Attached is the script which imports all the groups under a specified OU and creates a filter, not a group, with only the users in AD in that filter. The script processes as follows:

  1. Connect to OU in AD
  2. Retrieve list of security groups from that OU
  3. For each group:
       a) Check for a filter with the same name as the security group. Create the filter if it does not exist.
       b) Delete all users from the existing group. *This makes AD authoritative.
       c) Iterate through the list of users in the group and add them to the filter. This part is recursive and will handle nested groups.
       d) Update the filter.

The only dependency is that a rule to import users from AD is established and has run. The script can be run various ways but will require credentials with enough rights to read the necessary information. Domain Admin should be adequate. :-)

I am sure someone can find a use for this other than what we thought. If you do something neat with it let me know as I would be curious. If you have any questions feel free to contact me.

article Filed Under:
, , ,

Comments

Ian_C.'s picture
09
Sep
2009
0 Votes 0
Login to vote
Ian_C.

Good thinking. Thanks a lot.

Good thinking.
Thanks a lot.

MF's picture
09
Sep
2009
0 Votes 0
Login to vote
MF

Nice article have some questions

Nice article but I have some questions you may be able to answer. To automate the installs for the AD group of users you would create a policy for some software and assign the filter. It would then install for all users in the group. I could then create a policy to uninstall the software but this would remove the software from the entire gorup, how would I manage individuals easily. IE remove from one not all and not micro manage the policies. thanks

rpoag's picture
11
Sep
2009
0 Votes 0
Login to vote
rpoag

The idea was to compare who

The idea was to compare who has it installed, an inventory, to who should have it installed, the filter, and do the uninstall based on the difference.  That allows you to remove users from the AD group and then have the uninstall run at a predetermined time.  It will also aids in making sure machines are compliant if that is a concern since all unauthorized installs would be repeatedly cleaned up.

Ryan Poag
Campbell & Company, Inc.
If your question has been resolved, please be sure to "Mark as Solution"! Thank you.

Vigersand's picture
17
Sep
2009
0 Votes 0
Login to vote
Vigersand
Accredited

Thanks!

We encountered the exact same thing with the security group imports. Thanks for sparing us the trouble of reinventing the wheel =)

Tenacious Geo's picture
21
Sep
2009
0 Votes 0
Login to vote
Tenacious Geo

Question

How long does it take for the software to get installed on a user's computer once they are added to the right AD group?

-Geo

Vigersand's picture
21
Sep
2009
0 Votes 0
Login to vote
Vigersand
Accredited

If you run the script right

If you run the script right after you made the changes in your AD, the filters will be updated pretty much imediatly. Then it's up to how often your agents check for new policys and what schedule you specified on the Managed Software Delivery.

Tenacious Geo's picture
22
Sep
2009
0 Votes 0
Login to vote
Tenacious Geo

For example, I have a new

For example, I have a new employee and they are assigned a new computer and start using it. Are they immediately identified as the primary user of the PC when the logon the first time and would therefore get the software they need right away after updating the agent config?

-Geo

rpoag's picture
22
Sep
2009
0 Votes 0
Login to vote
rpoag

If you setup the software

If you setup the software installs to run when a user logs in then it would run immediately.  You can force them to be the primary user by logging in repeatedly and updating all the filters if that is your preference.

Ryan Poag
Campbell & Company, Inc.
If your question has been resolved, please be sure to "Mark as Solution"! Thank you.

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
259,054