Deployment Solution

OK, We have Regional Support Staff at each of our divisions / Sites.  We have security roles, which scope these regionals to their Sites.  Each site is also an OU in AD, so we have scoped each regional to only be able to see / image/ push software etc to PCs in their OUs / Sites.  Makes sense.

When our regionals receive new PCs, they get imaged and added to AD via a script that runs while in WinPE, after the image has been dropped.  Once a day the AD import runs and the PC is then known to Altiris as being in the correct OU (in Altiris) and thus within the scoping of each regional that has access to that OU.

The problem lies between the time the agent checks in and becomes a known PC to altiris and the AD import.  Scoping says they can only send jobs to PCs in their OUs, but that PC doesn't reside in their OU until the AD import into Altiris. So, the Regional can't do anything to that PC until the next day, once it is imaged.

So, where do new PCs exist in Altiris, so that I can assign our Regional Security Roles rights to that place?  Or how do I tell Altiris to put new machines in a certain OU until the AD import tells Altiris where the PC actually resides?

If you need more info, just let me know.

Hi,

new computer resources reside in the Default View (in special in All Resources --> Asset --> Network Resource --> Computer). Every computer is in this group. Deleting here, delete the resource from console at all. If you give rights to this group, an employee can see all clients. As you described you don't want this.

To get over your problem use an automation policy to move the clients to the correct group. http://www.symantec.com/docs/HOWTO9624

You can do this of course with a task. I guess it's named "Assign to organizational group".

Regards

I will look into the policy solution you provided a link for.  The Assign to Organizational Group task can't be included in the image job, so it isn't a solution for us.  Thank you for this information.

Hi,

yes you are right. The task should be used in the automation policy because in the article is described how to reach it with a sql query. Instead using the sql query use the task.

Regards

So, Following the instructions from the link, I have managed to make it work so that any newly discovered PCs within a certain time are automatically added to a custom OU we created.  However, after the AD import is run, the PC does not get moved to the proper OU.  Any ideas? 

Hi,

is your ad import a delta import or full import. I think there was a problem with the delta import not synching such things like ou movement. The full import should do.

Why don't you automatically add to the correct ou?

Regards

I have tried both the Update Import and Full Import.  Automatically adding to the correct OU would be great.  How do I do that?  We have a script to run in the image job that does this for AD and it works perfectly.  We are having trouble finding the same perfection in Altiris. 

Hi,

so it seems the issue still exists. How is your automation policy working? You meant you move the clients to an ou where the support staff has access to. On which attribute of the client you decide to which ou in AD it should belong to? Maybe you can build an automation policy for each corresponding ad ou?

Regards

We setup the automation policy to identify any PCs discovered within a certain time period.  We have used in the last day and also tried within a couple hours.  Then take those PCs and put them in a custom OU we created.  This seems to work just fine.  It wouldn't let us put them in an OU within the Active Directory Domain section of Manage - All Resources.  This is where the AD import occurs.  We are fine with this because we can just allow our Regionals access to the custom OU.

The AD import runs once a day, so it would be great if the PC was moved from the custom OU to the proper OU that it resides in, in AD. It did this before, except the Regionals did not have rights to the PC.

At first the Automation Policy was set to find those new PCs discovered in the last couple hours.  Once the PC has been discovered for more than a couple hours and the policy ran again, the policy would take it out of the custom OU.  We then changed it to within the last day.  This way it stays in the custom OU until the AD import occurs.  However, the AD import didn't move the PC.  Over the weekend the PC got moved to the correct OU, but also resides in the Custom OU.  I am assuming the AD imports that ran over the weekend made this change, but why it now resides in two OUs, I have no idea. And why the import didn't work and then worked? Beats me.  The PC no longer meets the criteria of being discovered in the last day, but it's still in the custom OU, as well as the correct OU.

There has to be a better way of doing this. It seems like a pretty simple thing.  Why can't I tell Altiris "Hey, this PC you just sent an image job to,....put it in this OU."

you can - make it a part of the job that images the PC.  next task after imaging before booting to production - put in this OU.  Bam.

Which task can I put in the image job to put the PC in the desired OU?