Our entire build process is built around AD group membership. We use two different OUs. One called Staging which is where the device gets the core build of Anti-Virus and Endpoint Control. We then move the machine into a Departmental Based OU which determines what further software needs to be installed. The tasks are all policy based which allows you to control bandwidth consumption.
So, for example, a machine is dropped into the Sales OU.
Core syncs with AD (configurable schedule). We have ours set to 20 minutes (we are a fairly small shop ~2500 users). You place the AD based Sales query in the tasks assigned to that department. Again core based schedule. We only have ~800 queries which only takes about 16 minutes to complete.
So to summarize:
-Core determines OU membership.
-Departmental query based on OU which is assigned to all required tasks(policies). We put numbers at the beginning of the task names so we can control the order and minimize the reboots required.
-Machine checks for policies, finds all of the policies, and queues them up in task order.
I hope this all makes sense. I can provide some screenshots of how we structured it if you'd like. We used this structure to build all of our machines in our Win7 refresh and it worked almost perfect.
Hi Novar, thanks for your response.
So rather than having a 'meta-package' made up of smaller packages (as in the OS Deployment Template) and a single targeted security group applied to machines, you have multiple scheduled tasks, one for each software package? each scheduled task targeting an OU that you place the machine objects into? Correct?
I could do as you have done and have a Staging OU to apply all our core software, and then a specific departmental OU to apply additional software. This would involve moving the machine object several times which I was trying to avoid, but I can live with that.
How do you deal with deploying software to machines at a later date, for example if someone calls in and requests an approved software title that wasn't installed when the machine was initially rolled out?
Some screenshots to show how you configured your setup would be great! I'd really appreciate that, thanks.
Correct. We only move the computer object once. Our build script puts it in the Staging OU and we move it to the Dept OU when it has been assigned.
For the later installs we have AD group based installs. Adobe 9 Pro task is targeted with an AD group called SW-AdobePro9.
Thanks Novar, very helpful, I'll attempt to replicate this.