Use of Global Conditions for Deployments – ConfigMgr 2012
Since the release of ConfigMgr 2012 global conditions have helped support the Application model in a way that we can present the same application to users however based on criteria limit which deployment type is applied.
This does work well however like everything in its first revision this can be limited at times given limited support about what they are actually for.
Below illustrates a way I have used the global condition to tidy up a very complex deployment that involves deployment out to a machine however can equally be used for users if adapted.
The Scenario:
I am working at a legal client who have a piece of software that uses the same base MSI however a number of MST’s produce the end result (4 in fact). Now I could create 4 different applications for each one which would be linked to a collection via a deployment and work perfectly fine. In this scenario there are a number of components that make up this application (Drivers, Optional Components etc) so I am looking for a way to trim down the amount of Applications/Deployments and keep it tidy whilst utilizing a sohpisticated method.
Problem:
I have 1 MSI with 4 MST’s however the nature of how Applications work is that when AppDiscovery.Log runs, the first Deployment Type which criteria is satisfied this deployment type will run. So how do I have all four together in 1 application in the same way that we could have multiple programs in the same Legacy Packages.
Potential Solution: Global Condition
The golbal conditions are there to determine ‘if’ a deployment type should run as shown below and example for Primary device:
So if we have our flavours of deployment delivered via AD groups, a Global Condition could be used to say ‘if’ machine/user is a member of an AD group it satisfies the requirements!
Great Right?????
The Problem:
At present the official stance coming out of Microsoft are that Global Conditions are not designed for use in this way and that they are a real-time check on if a deployment should take place. Personally I do not see why this should be any different for this but please proceed and do your own due diligience on this first.
The Solution:
This is formed of 2 parts. First we need to create a Global Condition which effectivly runs a script to pull out what we need. In this case, I want a string of all groups a PC is a member of:
Create a Global Condition named accordingly and you want to set this as a Script/Sting and it to be a VB SCript (You could re-write this in Powershell of course!)
Now the script needs to be entered. This can be done if you have a store for Global Condition scripts you use, or simply write directly into the screen:
The Full Script is listed below. You will need to add in your Domain Short Prefix where highlighted:
*********CODE START*****************
‘On Error Resume Next
‘ List Other Groups a Group Belongs To
Set network = WScript.CreateObject( “WScript.Network” )
computername = network.ComputerName
getDNvar = GetDN(computername)
Set objGroup = GetObject(“LDAP://” & getDNvar)
objGroup.GetInfo
arrMembersOf = objGroup.GetEx(“memberOf”)
‘WScript.Echo “MembersOf:”
grplist= “MembersOf:” & vbcr
For Each strMemberOf in arrMembersOf
objGroup=””
‘ WScript.Echo strMemberOf
Set objGroup=GetObject(“LDAP://” & strMemberOf)
grplist = grplist & objGroup.SAMAccountName & vbcr
‘ WScript.Echo objGroup.SAMAccountName
‘ If Err.Number <> 0 Then
‘ Wscript.Echo “No Groups Defined”
‘ End If
‘On Error GoTo 0
Next
Wscript.Echo grplist
Function GetDN(strName)
‘ Constants for the NameTranslate object
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
‘ Use the NameTranslate object to convert the NT user name to the
‘ Distinguished Name required for the LDAP provider
Set objTrans = CreateObject(“NameTranslate”)
‘ Initialize NameTranslate by locating the Global Catalog
objTrans.Init ADS_NAME_INITTYPE_GC, “”
‘ Use the Set method to specify the NT format of the object name
objTrans.Set ADS_NAME_TYPE_NT4, “INPUTHERE\” & strName & “$”
‘ Use the Get method to retrieve the RPC 1779 Distinguished Name
GetDN = objTrans.Get(ADS_NAME_TYPE_1779)
End Function
********* CODE END*****************
Once this has been created (test your script first on your PC 🙂 ) you can now reference this in deployment types as an example below:
Important Note is you MUST use Contains!! This is due to searching the string if the object is part of more than one group. Mine is simply the name of the AD Group the machine is part of.
As I have said above, the ‘official’ statement is that the Global Conditions are not for this purpose but I feel this add a very good ‘chink’ in the Application Armoury as the migration of away from packages occurs.