6 Replies Latest reply on Nov 3, 2009 4:06 PM by Spartan

    LDAP targeted distributions not quite working...

    Spartan Apprentice

      Good Day to all,


      I apologize if this is in the forums but I haven’t been able to find the right answer/fit.


      Let me start by quickly describing my environment in order to see if I’m taking the steps.

      We are a K-12 school with students from Grade 6-12 with notebooks.
      This means we are often re-imagining machines and/or giving our loaners while units are out of repairs.


      In order to make sure a student has his/her required software I need a  way to target the individual and not the machine.
      In order to do this I made a bunch of groups in AD which we can add student into, which should then in turn be installed on the machine.


      The above which pretty well initially.


      My problem is that the LDAP query in these tasks is not updating.
      I checked my logs and found that the Directory manager is updating every hour which seem to be true.

      But the machines listed in the task do not update.

      I have tried getting the task to repeat which works but then my distribution starts over.

      To prevent this I tried adding a Detection rule to my package (Which I found out only detects dependent packages).

      So I tried to make a prerequisites query, which sort of works - If the inventory scan is up to date the package fails.

      This is not my desired behaviour for a couple reasons.
      -We can’t tell at a glance if everybody got the package

      -My Inventory scans run every 3 hours but my policies update upon login and every 2 hours.


      I could run Inventory Scans more frequently or place a greater delay on my policies but there has to be a better way. =o)


      Keep in mind that I need this task to automatically deploy again if the software is gone (Due to being re-image or having a loaner machine)


      Please help me oh great ones...

        • 1. Re: LDAP targeted distributions not quite working...
          Spartan Apprentice

          Perhaps I can shorten this question a little.

          It would be helpful to know what is the best way of preventing software from being redeployed to a machine?
          Is running a query to fail against the best way? (This does not seem like a very elegant exit... Like tripping in the doorway on the way out).

          Or is there a way to use the “Detection” settings on the primary package?


          I use all types of pakage types... MSI, EXE, Batch and some SWD.

          • 2. Re: LDAP targeted distributions not quite working...
            mrspike SSMMVPGroup

            What delivery method are you using?

            • 3. Re: LDAP targeted distributions not quite working...
              Spartan Apprentice

              Hi James,


              I am using both Policy and Policy-Supported Push depending on how fast I need the deployment to happen, but I'm not married to any method.


              I am using 8.8 with SP3 if it's relevant.

              • 4. Re: LDAP targeted distributions not quite working...
                Spartan Apprentice

                After doing a bunch of testing in my lab environment I have found that everything is working as it should.


                Added a test user to a group in AD and saved a query in directory manager.

                Created a deployment task with a policy based method and targeted my saved query.

                Logged into my test VM a couple of times as this user and did an inventory scan confirmed that it picked on on the user which it did.

                Once my core refreshed his LDAP queries the task got queued up for that machine.

                Updated the policy on my VM and it got the package.

                I reverted my VM and logged on as the test user a couple of times did an inventory scan.

                Shortly there after the package showed up on my VM.


                But for some reason this is not working as well in my real environment.

                Perhaps I just need to increase the frequency of my inventory scans and policy updates?


                Current settings are:

                Policy updates:

                When user logs on Max random delay 1hour

                When IP address changes

                Schedule-driven update: Every 2 hours  from 8-16 hours (School hours) M-F

                Filters are set to None

                Additional random delay one all other filters pass 1 hour.


                Inventory Scanner:

                When IP changes

                Schedule-driven scan:

                Repeat after: 3 hours from 8-16 hours (School hours) M-F

                Filters are set to None

                Additional random delay one all other filters pass 1 hour.


                Keep in mind these machines:

                Are often just placed into sleep mode.

                Not regularly logged out/into (due to sleep mode).

                On a wireless network.


                I'm trying to find a nice balance of machine performance with some positive deployment results.

                Any ideas?

                • 5. Re: LDAP targeted distributions not quite working...

                  We use a PREREQUISITE query to filter out targets we don't want... remember the Prerequisite query is a listing of what you want to target... it's kind of a boolean nightmare after awhile but bit seems to work.


                  example attached ...

                        is the PREREQ we put on our Office 2007 TASK... it only targets machines that <> Office 2007.



                  As far as LDAP not updating your target list.. we found a great increase in LDAP targeting accuracy when we started targeting MACHINES instead of users... Our machines are in AD containers just like our users.

                  Now if we can just get our problem children to run inventory every day we're in like flint.


                  Netgear HUBS, "Miniscan" inventory returns, Dual Wireless AND  rj45 connctions all rob us of successful installs.


                  hope this helps

                  1 of 1 people found this helpful
                  • 6. Re: LDAP targeted distributions not quite working...
                    Spartan Apprentice

                    Sorry about my delay in responding,


                    Are you talking about targeting my "Device Query" & "LDAP Query" in my task rather then having the "Device Query" included in my disto and list targeting LDAP in my task?


                    I currently do the later of the two, but when you use the prerequisite in this manner don't all of your machines end up in the "Failed" List?

                    Result "The machine failed the prerequisite query".


                    I can live with it but it would be nice to see them all in the green.



                    The big part of my problem is the software in question is not exiting the install in an elegant manner it's works but lists as failed.

                    I tried a few things to get it working but it just not happy.


                    So I ended up adding a software scan after the install to update the inventory and setting to task to restart every day.

                    This seems to have fixed machines that had the task fail for other reasons.


                    But I still end up with a list of failed machine in the end (Even if it's "good fail").


                    It would be nice if you could include an LDAP lookup in a query and target that.