[SCCM 2007] SCCM - Linking collections to Active Directory OU's

[mjgreen]

Hi all,

I am just in the process of learning about SCCM and would like some advise please.

I have heard that is possible to link your SCCM collections to your AD OU's so that when I place a computer in a certain OU (say Design technolgy) it automatically picks up the Design Technology specific software package advertisements and installs them.

Has anyone successfully implemented this in a school environment?

I found this guide earlier: Deploy software through AD Groups linked to Collections in SCCM - www.windows-noob.com

Is that what I need to do? Any advise or tips or help would be greatly appreciated!

Thanks all

[Colditzz]

Sort of...
If you want to link to OU's, you'll need to enable the "Active Directory System Group Discovery" and "Active Directory System Discovery" discovery methods.
When the discovery has run (I think you can force it through fairly soon) create collections that use the below as your query statement;

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier ,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYST EM.Client from SMS_R_System where LOWER(SMS_R_System.SystemOUName) like "domain.forest.local/OU/OU/OU"

Where domain.forest.local/OU/OU/OU is the Canonical name of the OU containing your machine accounts - this can be obtained from the 'Object' tab of the OU properties in ADUC.

HTH

[TheScarfedOne]

I was doing it this way, but moved on to using security groups instead. It meant that I didnt have to faff around with my AD structure to change the software lists.

[MatthewL]

Isn't this was collections are for in SCCM?

[mjgreen]

Isn't this was collections are for in SCCM?

I think its fair to say that you can use collections however you want and dont have to have it linked to your AD structure in anyway if you didnt want to. Thanks for the advice Colditzz, I will have a play over the next couple of days and bump this thread if I get any questions.

[TheScarfedOne]

Yes... and no. Take this scenario...

Departmental software - except some rooms are used by more than one subject. Therefore - you want to be able to group the machines and have the right software automatically installed. With OUs this is a pain as you have to faff with the structure and it can get a bit messy. WIth Security Groups - its just add to group and it doesnt matter that where in AD the machines are. You are then using the SCCM collection queries to build the collections based on the AD groups - and advertise software to that collection. We also use partial name filtering too.

[mjgreen]

Thanks guys, think I have it working nicely

I am a bit confused by something though.

I am currently in a test environment so I am constantly reimaging a PC for testing. When the images is complete, it is given a default name by SCCM (something like MININT-EC6D7AAH). I then rename it to "ICT-SPARE-01" and move it to the correct AD OU.

SCCM then finds PC's named both MININT-EC6D7AAH and ICT-SPARE-01. If I look at the properites they both have the same IP address and same MAC address. However, the entry named MININT-EC6D7AHH is the 'live' entry and shows that the client is installed and approved etc (even though this is no longer the PC's actual name).

If I then delete both these entries and reimage the PC, the same happens again.

Hopefully that makes sense!

[Colditzz]

@mjgreen;
Sorry I hadn't replied before, no email notification of updates!

When you image a new machine and install the SCCM client, a GUID is created and assigned to the PC. This is reported to your SCCM server and an entry is created in the Database. When you then rename the machine, it essentially adds another entry into the database! After 30 days (by default) the original record will be marked as obsolete, or you can just delete it from the 'All Systems' collection and force a re-load of all collections to remove it.
For simplicity, set the name of the machine prior to installing the SCCM client.

@the ScarfedOne
The beauty of collections is that you can create them in many different ways, they are just query sets, so link them to OU's if your AD structure is setup to allow this, use Security Group memberships, use direct membership, or any of the above, they are flexible and some methods will suit some more than others!

[mjgreen]

Thanks COlditz, found a great bit of code yesterday that allowed me to name my PC before Windows starts to install, therefore bypassing the issue of old names in the DB.

Thanks very much for all your help

[Colditzz]

No worries :-)

[bart21]

@mjgreen

can you share that code?

thanks

nick

[mjgreen]

@mjgreen

can you share that code?

thanks

nick

Have a look at this:

Script to Prompt for System Name in SCCM OSD « t3chn1ck

I used this guys code