Share via

Install applications in a task sequence based on AD-Groups

  • Article

For environments with a lot of applications and User-setups this is perfect.

We have appgroups for all our applications and all users are members of the appgroups they need depending on which applications they have access to.

These appgroups are the same as we use for our application catalog.

First of all, you have to make sure you have these two things working first:

To install these applications in the task sequence, we have a little script to get all appgroup memberships and create task sequence variables of these.

#######################################
## Name: Get-AppGoups.ps1            ##
## Version: 1.0                      ##
## Author: Christoffer Stolpestad    ##
## Mail: christoffer[at]sysadmins.no ##
#######################################
 
#Variables - Edit These!
$UserName = "domain\UserName"             # User with AD-ReadAccess "contoso\user1"
$Password = "UserPassword"                # Password
$DomainController = "DomainController"    # Domain Controller
$Domain = "Contoso"                       # DomainName the same way you specified it in the SMSTSUDAUsers (http://technet.microsoft.com/en-us/library/hh846243.aspx)
$AppgroupPrefix = "App"                   # Prefix of AppGoups 
$RemoveInFront = "3"                      # How Many Characters to remove from distinguished name."3" removes the 3 first "OU="
 
################################################################################################################################
 
#Import The ACtive Directory Module and Create the TS Environment
import-module ActiveDirectory
$TS = New-Object -ComObject Microsoft.SMS.TSEnvironment
 
 
#Get Username from TS-Var
$Username = $TS.Value('SMSTSUDAUsers')
$Username = $Username.substring($Domain.Length+1) #Removes Domain\ from Username
 
#Get AD Group Membership
$PW = ConvertTo-SecureString -String $Password -AsPlainText -Force
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $PW
$UserGroups = (Get-ADUser $Username -Server $DomainController -Credential $Credentials -Properties MemberOf).MemberOf
 
 
#Create Tables of AppGroups
$AppGroups = @()
Foreach ($Group in $UserGroups) {
    $Group = ($Group.Substring($RemoveInFront)).split(",")[0]
    $Group = $Group.Replace("Users","") # In our case we wanted to remove "Users" From the AppGroup-Name. This can be commented out
    $GroupEntry = New-Object –TypeName PSObject
    $GroupEntry | Add-Member -MemberType NoteProperty -Name Name -Value $Group
    $AppGroups += $GroupEntry
}
 
#Sort out only AppGroups
$AppGroups = $AppGroups | where Name -Like "$AppgroupPrefix*"
 
#Create TS-Variable for each AppGroup
foreach ($App in $AppGroups) {
    $App = $App.Name
    $TS.Value($App) = "True" 
}

What happens here:
Imports AD-module and creates the TaskSequence Environment
Gets the username you provided in your HTA/Frontend and removes “domain\ from the variable
Gets all the users group memberships from AD
Manipulates the names of the groups and creates table
Sorts out only the groups with your AppGroupPrefix (As you can see on the picture below, all our appgroups have the “App”-prefix)
Creates TS-Variable for each group and set its value to “True”

This is how the variable $AppGroups looks like after running the script (we do not use all these in our TS ;):

http://sysadmins.no/wp-content/uploads/2014/04/PSAppGroups.png

Right after the HTA we launch the script to get the group memberships and set the TS-variables

http://sysadmins.no/wp-content/uploads/2014/04/Get-AppGroups-TS1.png

On all the applications we have condition according to the appgroup name:
http://sysadmins.no/wp-content/uploads/2014/04/7zip2.png

During OSD after the Get-AppGroups step, I opened a CMD-window and tested if the variables had been set.

http://sysadmins.no/wp-content/uploads/2014/04/CMDTSVar.png

And.. There we go!

http://sysadmins.no/wp-content/uploads/2014/04/TSProgress7Zip.png