{"id":6130,"date":"2013-12-19T09:00:04","date_gmt":"2013-12-19T08:00:04","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=6130"},"modified":"2013-12-19T11:30:20","modified_gmt":"2013-12-19T10:30:20","slug":"mdt-filter-task-sequences-active-directory-group-membership","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/mdt-filter-task-sequences-active-directory-group-membership\/","title":{"rendered":"MDT: Filter task sequences on Active Directory group membership"},"content":{"rendered":"

\"Directions\"<\/a>By default task sequences<\/strong> in Microsoft Deployment Toolkit<\/a> (MDT) are available for all users, there is no access control list (ACL). This means that you can\u2019t filter<\/strong> certain task sequences for a group of users, while you might not want all users to execute all task sequences.<\/p>\n

For instance I don\u2019t want all users to run an unattended <\/strong>setup, I only want them to deploy <\/strong>a captured image <\/strong>(MDT can inject model specific drivers, so no harm done). However, the more advanced users \"Angry should be able to run all task sequences, including the unattended installations.<\/p>\n

 <\/p>\n

\"Windows<\/a>\"Windows<\/a><\/p>\n

<\/p>\n

\u00a0<\/h1>\n

WizardSelectionProfile<\/h1>\n

MDT can be configured to show a subnet of task sequences using a \u201cselection profile\u201d. Within a selection profile only folder can be checked \/ unchecked, configuration item in a folder can\u2019t. This means that we first need to create folders in the MDT Deployment Share \\ Task Sequences <\/strong>node.<\/p>\n

\u00a0<\/h6>\n
Folders<\/h6>\n

For this example I created two folders: Unattended<\/strong> and Image, <\/strong>each folder contains a number of task sequences.<\/p>\n

\"MDT<\/a><\/p>\n

 <\/p>\n

Selection Profile<\/h6>\n

Next we need selection profile that limit access to the folders in the MDT Deployment Share. Since I want to regular users to only see the task sequences from the Image<\/strong> folder I created a selection profile<\/strong> called \u201cTS-Image\u201d. The Administrators should see all task sequences so another selection profile called \u201cTS-All\u201d is created granting access to all task sequences.<\/p>\n

\"Selection<\/a>\"Selection<\/a><\/p>\n

 <\/p>\n

Rules<\/h6>\n

One of the properties that can be set is WizardSelectionProfile <\/strong>which will change the selection of task sequences that are shown in the task sequences form.<\/p>\n

WizardSelectionProfile=TS-Image<\/pre>\n
\"Windows<\/a><\/p>\n
\u00a0<\/h1>\n
Rules<\/h1>\n
After authenticating the user (to connect to the deployment share) MDT will execute<\/strong> rules<\/strong> in a given order. The order is set in the field Settings<\/strong> \\ Priority<\/strong>. The most specific rules should be executed first\u00a0 followed by more generic rules. The reason for this is that settings can be set only once, it can\u2019t be overwritten. Once a setting (like WizardSelectionProfile) has been set no new value is accepted.<\/p>\n
 <\/p>\n
UserID<\/h6>\n
By default MDT has the ability to read the provided username (UserID) and apply settings based on a specific user.<\/p>\n
Example\"MDT<\/a><\/span><\/p>\n
[Settings]\r\nPriority=UserID, Default\r\n\r\n[Ingmar]\r\nWizardSelectionProfile=TS-All\r\n\r\n[Default]\r\nWizardSelectionProfile=TS-Image<\/pre>\n
\u00a0<\/h6>\n
\u00a0<\/h6>\n
Group<\/h6>\n
Unfortunately MDT has no built-in<\/strong> mechanism to determine if a user is member<\/strong> of an Active Directory group, fortunately MDT does has the ability to call a web service.<\/strong> Maik Koster<\/a> wrote a WebService<\/a> that can determine if a user is member of an AD group. I\u2019m assuming the web service is running for this example to work. In case the web service isn\u2019t running yet, keep on reading.<\/em><\/p>\n
In this example I created two AD groups:<\/p>\n