MDT: Filter task sequences on Active Directory group membership

DirectionsBy default task sequences in Microsoft Deployment Toolkit (MDT) are available for all users, there is no access control list (ACL). This means that you can’t filter certain task sequences for a group of users, while you might not want all users to execute all task sequences.

For instance I don’t want all users to run an unattended setup, I only want them to deploy a captured image (MDT can inject model specific drivers, so no harm done). However, the more advanced users Angry smile should be able to run all task sequences, including the unattended installations.

 

Windows Deployment Wizard - Task Sequence - Deploy onlyWindows Deployment Wizard - Task Sequence - All

WizardSelectionProfile

MDT can be configured to show a subnet of task sequences using a “selection profile”. Within a selection profile only folder can be checked / unchecked, configuration item in a folder can’t. This means that we first need to create folders in the MDT Deployment Share \ Task Sequences node.

Folders

For this example I created two folders: Unattended and Image, each folder contains a number of task sequences.

MDT Deployment Share Task Sequences

 

Selection Profile

Next we need selection profile that limit access to the folders in the MDT Deployment Share. Since I want to regular users to only see the task sequences from the Image folder I created a selection profile called “TS-Image”. The Administrators should see all task sequences so another selection profile called “TS-All” is created granting access to all task sequences.

Selection Profile - TS-ImageSelection Profile - TS-All

 

Rules

One of the properties that can be set is WizardSelectionProfile which will change the selection of task sequences that are shown in the task sequences form.

WizardSelectionProfile=TS-Image

Windows Deployment Wizard - Task Sequence - Deploy only

Rules

After authenticating the user (to connect to the deployment share) MDT will execute rules in a given order. The order is set in the field Settings \ Priority. The most specific rules should be executed first  followed by more generic rules. The reason for this is that settings can be set only once, it can’t be overwritten. Once a setting (like WizardSelectionProfile) has been set no new value is accepted.

 

UserID

By default MDT has the ability to read the provided username (UserID) and apply settings based on a specific user.

ExampleMDT Deployment Share Properties - Rules - UserID

[Settings]
Priority=UserID, Default

[Ingmar]
WizardSelectionProfile=TS-All

[Default]
WizardSelectionProfile=TS-Image
Group

Unfortunately MDT has no built-in mechanism to determine if a user is member of an Active Directory group, fortunately MDT does has the ability to call a web service. Maik Koster wrote a WebService that can determine if a user is member of an AD group. I’m assuming the web service is running for this example to work. In case the web service isn’t running yet, keep on reading.

In this example I created two AD groups:

  • MDT_Admin – Users of this group are allowed to see all task sequences
  • MDT_User – Users of this group are only allowed to see task sequences from the “Image” folder.

 

The following MDT rules are always executed, in the provided order:

  • INT – Fills the settings “UsersGroupAdmins” and “UsersGroupUsers” with the name of the Active Directory groups we created earlier
  • SetTaskSequenceAdmin– Determines is the user is member of the “MDT_Admin” group. If so it executes the rule Admin-True
  • SetTaskSequenceUser – Determines is the user is member of the “MDT_User” group. If so it executes the rule User-True
  • SetTaskSequenceDefault – Is always executed and sets the selection profile to “TS-None” which will display no task sequences (an empty task sequence)
  • Default – Set default settings which should apply to all task sequences

 

MDT Deployment Share Properties - Rules - GroupDepending on the outcome of SetTaskSequenceAdmin / SetTaskSequenceUser the following rules are executed via the SubSection setting.

  • Admin-True – Is executed if the user is member of the AD group “MDT_Admin” and sets the WizardSelectionProfile to “TS-All”
  • User-True – Is executed if the user is member of the AD group “MDT_User” and sets the WizardSelectionProfile to “TS-Image”

 

Example

[Settings]
Priority=INT,SetTaskSequenceAdmin,SetTaskSequenceUser,SetTaskSequenceDefault,Default
Properties=MyCustomProperty,IsGroupMemberAdmin,UsersGroupAdmins,IsGroupMemberUser,UsersGroupUsers, Username, Groupname

[INT]
UsersGroupAdmins=MDT_Admin
UsersGroupUsers=MDT_User

[SetTaskSequenceAdmin]
WebService=http://MDT.domain.local/Deployment%20Webservice/ad.asmx/IsUserGroupMember
Parameters=UserID,UsersGroupAdmins
UserID=Username
UsersGroupadmins=Groupname
IsGroupMemberAdmin=boolean
SubSection=Admin-%IsGroupMemberAdmin%

[SetTaskSequenceUser]
WebService=http://MDT.domain.local/Deployment%20Webservice/ad.asmx/IsUserGroupMember
Parameters=UserID,UsersGroupUsers
UserID=Username
UsersGroupUsers=Groupname
IsGroupMemberUser=boolean
SubSection=User-%IsGroupMemberUser%

[Admin-True]
WizardSelectionProfile=TS-All

[User-True]
WizardSelectionProfile=TS-Image

[SetTaskSequenceDefault]
WizardSelectionProfile=TS-None

 

 

WebService

Installation of the Maik Koster’s web service is explained in the Installation Guide. However it did took me a while to find out how I could run the web service on II 7.5 (Windows Server 2012). Here are the steps that I followed:

  1. Install the Web Server (IIS) – Web Server role with (at least) the following features
    • Application Development \ .NET Extensivility 4.5
    • ASP.NET 4.5
    • ISAPI Extensions
    • ISAPI Filters
      Server Roles - Web Server (IIS) - Web Server - Application Development

       

       

  2. Download and extract the content of the web service on a local folder of the web server  (for instance C:\MDT)
    C - MDT 
  3. Open the Internet Information Services (IIS) Manager

  4. In the Application Pools section click on Add Application Pool

    Internet Information Services (IIS) Manager - Application Pools - Add Application Pool

     

     

  5. Create an application pool with the name Deployment Webservice

    Add Application Pool - Deployment Webservice

     



  6. Select the newly created application pool Deployment Webservice and click on Advanced Settings

    Application Pools - Deployment Webservice
  7. In the advanced settings change the Identity from ApplicationPoolIdentity to an Active Directory account that has sufficient permissions to query the AD
    Deployment Webservice - Advanced SettingsDeployment Webservice - Advanced Settings - Application Pool Identity

     

     

  8. In the Default Web Site (for example) click on Add Application

    Default Web Site - Add Application

     



  9. Create an application with the following properties
    • Alias – Deployment Webservice
    • Application pool – Application WebService (you created this in step 5)
    • Physical Path  – C:\MDT\MaikKpster.Deployment.Webservice (the path from step 2)
      Default Web Site - Add Application - Deployment Webservice 

To verify if the web service is working you can open your browser and navigate to http://MDT.domain.local/Deployment WebService/ad.asmx. This should show you something similar to this:

Deployment Webservice - ad.asmx

 

 

 

.