Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

How to Distribute Software Using AD Groups

Updated: 31 Jul 2008 | 6 comments
Patrick Tyler's picture
Patrick Tyler
Symantec Employee
Accredited
0 0 Votes
Login to vote

In the latest user group meeting, many have asked how a target collection can be created using AD groups for software delivery or other actions. I have found a KB article that tells you how to use SQL criteria to take AD Groups (With Users) and turn them into machine collections for NS policies.

Here is the article for reference: https://kb.altiris.com/article.asp?article=39250&p=1. It is KB article number 39250.

I hope this helps!

Patrick

blog entry Filed Under:
, , , ,
Group Ownership:
Pittsburgh Endpoint Management User Group

Comments

Jason Gallas's picture
31
Jul
2008
0 Votes 0
Login to vote
Jason Gallas

This works great

We have been using this method to deploy software for a while now.

The only downside is that sometimes users may use more than one computer or users may share a computer so if software licensing is an issue you may want to be careful with this one.

It really does save a lot of time though and makes it so that you never have to modify the collection once it is created.

theMike's picture
01
Aug
2008
0 Votes 0
Login to vote
theMike

No Security Groups in Resource Management

Do you do anything special to import your security groups from AD? Looking under Resource Management>Collections>Directory Collections>My Domain I have three folders:

Organizational Units
Organizational Units - Users to Machines
Sites

I can not find where Security Groups - Users to Machines is and am wondering if I am not importing them in our Active Directory import.

Any advice would be appreciated as I would like to take advantage of this for our company. Thanks.

KSchroeder's picture
01
Aug
2008
0 Votes 0
Login to vote
KSchroeder
Trusted Advisor

You need to create a new AD Import rule

Hi theMike,
You need to add an additional AD Import rule. When you define the rule, you want to import User resources from a Source of "Security Groups". Check both boxes for "Create security group collections" and "Match computers with primary users". Define your domain in the first part of the import config, then in the "starting from" part, you can add the groups you want to import.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

toca's picture
21
Jul
2010
0 Votes 0
Login to vote
toca
Accredited

security import

Hi Kyle,

I saw your comment in the post and thought you would be the perfect person to ask.
I have a requirement to report on all user accounts and security groups in AD.
I would like to see security info from users and accounts eg. user A has ADMINISTRATOR rights or user A is in the ADMINISTRATORS security group.

Will i be able to get this info out of the import; I tried  but no cigar.

KSchroeder's picture
22
Jul
2010
0 Votes 0
Login to vote
KSchroeder
Trusted Advisor

Built-in report

toca,
There is a build in report "Count of users with Admin rights" (or something similar to that) in the Inventory reports.  It will allow you (I believe) to dump the membership of all computers' Administrators groups.  This will not however dump all the group memberships of AD groups, unless you import those groups from AD as far as I know.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

cwitter's picture
03
Mar
2009
0 Votes 0
Login to vote
cwitter

Not using primary user

We found the primary user option to be hit or miss. For this reason we're using the asset owner information to assign software to the machine. See below for the sql query. The first query builds the collection for us based upon the user associate. The second query (after the union) allows us to add the computers that were assigned to the group. This enables us to assign a computer to the AD group which works well for computers that are shared or for users that have more then one computer and the software license cost is too expensive software to install on more then one of their computers.

-- Start --

select tag.name, tag.guid from vcomputer tag         
join resourceassociation raown on tag.guid = raown.parentresourceguid and raown.resourceassociationtypeguid = 'ED35A8D1-BF60-4771-9DDE-092C146C485A'         
join inv_security_groups sec on raown.childresourceguid = sec._ResourceGuid         
where sec."Group Name" = 'CN=GROUPNAME,OU=Manufacturer,OU=ALTIRIS,OU=APPLICATION,OU=GROUPS,DC=AD,DC=Domain,DC=COM'   
and tag.guid not in (select _resourceguid from inv_shared_computers share where share."Hotel / Shared Computer" = '1')  
union all    
select tag.name, tag.guid from vcomputer tag    
join inv_security_groups sec on tag.guid = sec._resourceguid    
where sec."Group Name" = 'CN=GROUPNAME,OU=APPLICATION,OU=ALTIRIS,OU=APPLICATION,OU=GROUPS,DC=AD,DC=DOMAIN,DC=COM'

-- Stop --

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
259,054