So if you attended MMS 2010 this year or have been paying attention to what ConfigMgr v.Next will be doing then you know that User Affinity is a big topic addressed with v.Next. However you don't have to wait until v.Next to 'affinitive' your users to computers in ConfigMgr (or SMS 2003 for that matter). This series of blogs will show you step by step how to successfully deploy to computers by targetting users (or users' groups).
Part one will demonstrate how to setup a user affinity in ConfigMgr. First some history -
It has historically been a challenge to identify what computer(s) are primarily used by what user(s). At first SMS administrators relied on "last logon user" to identify who uses a computer, but this had significant problems as often users may logon to systems which they don't commonly use.
I was one of the first to address this problem by writing SLAT (Security Logon Audit Tool) which used security logon events to determine who is the primary user of a system. v1.0 of SLAT I released back in the SMS 2.0 days sometime before 2004. It is very hazy. At any rate, SLAT allowed you to identify who the 'Top' user of a system was.
Well I think someone over there in Redmond liked my idea because in SMS 2003 SP3 (and ConfigMgr) along came 'Top Console User' as part of Asset Intelligence.
So Top Console User works almost identically to SLAT by using the security event logon events to identify the top user(s) of a system. Its built in so why use SLAT anymore eh? I don't. Much. Really the only reason to use SLAT is so you can exclude specific users, and I know some organizations do this... but I found another way.
Included in this blog is a new script I wrote which gets the Top Console User and sets it to the 'Registered Owner' in the registry (which is then collected via hardware inventory). This new script can also exclude specific users so your VMWare account doesn't become the registered owner on every system... instead the TOP non-excluded account becomes the registered user. I know some will be very happy about this.
So why use Registered Owner for affinity instead of Top Console? Well, after the script sets registered owner, you can adjust it if it happens to be incorrect. You can also migrate it as part of your state migration... sooooo the registered owner MOVES with the user state data to the new system. Why is that good? Well lets say you have AD Application Groups and the user is in those.... well when the new system is set for that user and the affinity is there those supplemental applications are automatically delivered to the new computer (if you have your collections setup right - blog part 2).
So... what you have all been waiting for... here is the script that does all this.
'On Error Resume Next
wscript.echo "Script started"
const HKEY_LOCAL_MACHINE = &H80000002
const domainname = "AD"
const excludedusers = "AD\sluser;"
const organization = "fabrikam"
strComputer = "."
wscript.echo "Connecting to WMI"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
DomainRegisteredUsers = 0
wscript.echo "Querying for Existing Registered User"
Set osItems = objWMIService.ExecQuery("Select * from win32_operatingsystem")
For each osItem in osItems
wscript.echo ositem.registereduser
if ucase(left(ositem.RegisteredUser,len(domainname) + 1)) = domainname & "\" then
DomainRegisteredUsers = DomainRegisteredUsers + 1
end if
csname = ositem.csname
if ucase(left(csname, 3)) = "TRN" then
regvalue = "AD\TrainingUser"
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion"
wscript.echo "Setting RegisteredUser to: " & regvalue
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"RegisteredOwner", regvalue
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"RegisteredOrganization", organization & " (primary)"
wscript.quit 100
end if
next
if DomainRegisteredUsers < objwmismsservice =" GetObject(" impersonationlevel="impersonate}!\\" colitems =" objWMISMSService.ExecQuery(" number =" 0" oreg="GetObject(" impersonationlevel="impersonate}!\\" strkeypath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion" number =" number" regvalue =" ucase(left(objItem.TopConsoleUser," regvalue =" ucase(objItem.TopConsoleUser)" regvalue =" ucase(GetSecondTopConsoleUser)" number =" 0" objwmismsservice =" GetObject(" impersonationlevel="impersonate}!\\" useritems =" objWMISMSService.ExecQuery(" secondtopconsoleuser = "" logonminutes =" 0"> LogonMinutes then
LogonMinutes = useritem.TotaluserConsoleMinutes
SecondTopConsoleUser = useritem.SystemConsoleUser
end if
end if
next
GetSecondTopConsoleUSer = SecondTopConsoleUSer
End Function
wscript.quit 100
So setup that vbscript in a package and then create a task sequence to run it Why a task sequence? Well a program/advertisement would work, but all those wscript statements show right up in the task sequence status report! So if you have failures you can easily see what happened. Also... make sure to setup the setregistereduser.vbs as a run command line and remove the 0 and 3010 success codes from the options tab, replacing them with '100'. this way if the script fails for some reason you will be able to see it as a failure.
So for Part 2 - How to setup your collections to have computers based on the affinitized registered owner and why to do it that way.
Subscribe to:
Post Comments (Atom)
3 comments:
Hi,
Do you have any info about software distribution with vNext? I have MMS videos, but it seems that something is not mentioned there...
Great idea to get top user, but your script does not appear to be complete. Line 44 "if DomainRegisteredUsers < objwmismsservice =" GetObject..." appears to have logic/syntax issues.
Hi Steve
Getting same error
Line 44 chr 60
error: expected 'then'
Post a Comment