By default task sequences in Microsoft Deployment Toolkit (MDT) are available for all users, there is no access control list (ACL). This means that you can’t filter certain task sequences for a group of users, while you might not want all users to execute all task sequences.
For instance I don’t want all users to run an unattended setup, I only want them to deploy a captured image (MDT can inject model specific drivers, so no harm done). However, the more advanced users should be able to run all task sequences, including the unattended installations.
MDT can be configured to show a subnet of task sequences using a “selection profile”. Within a selection profile only folder can be checked / unchecked, configuration item in a folder can’t. This means that we first need to create folders in the MDT Deployment Share \ Task Sequences node.
For this example I created two folders: Unattended and Image, each folder contains a number of task sequences.
Next we need selection profile that limit access to the folders in the MDT Deployment Share. Since I want to regular users to only see the task sequences from the Image folder I created a selection profile called “TS-Image”. The Administrators should see all task sequences so another selection profile called “TS-All” is created granting access to all task sequences.
One of the properties that can be set is WizardSelectionProfile which will change the selection of task sequences that are shown in the task sequences form.
After authenticating the user (to connect to the deployment share) MDT will execute rules in a given order. The order is set in the field Settings \ Priority. The most specific rules should be executed first followed by more generic rules. The reason for this is that settings can be set only once, it can’t be overwritten. Once a setting (like WizardSelectionProfile) has been set no new value is accepted.
By default MDT has the ability to read the provided username (UserID) and apply settings based on a specific user.
[Settings] Priority=UserID, Default [Ingmar] WizardSelectionProfile=TS-All [Default] WizardSelectionProfile=TS-Image
Unfortunately MDT has no built-in mechanism to determine if a user is member of an Active Directory group, fortunately MDT does has the ability to call a web service. Maik Koster wrote a WebService that can determine if a user is member of an AD group. I’m assuming the web service is running for this example to work. In case the web service isn’t running yet, keep on reading.
In this example I created two AD groups:
- MDT_Admin – Users of this group are allowed to see all task sequences
- MDT_User – Users of this group are only allowed to see task sequences from the “Image” folder.
The following MDT rules are always executed, in the provided order:
- INT – Fills the settings “UsersGroupAdmins” and “UsersGroupUsers” with the name of the Active Directory groups we created earlier
- SetTaskSequenceAdmin– Determines is the user is member of the “MDT_Admin” group. If so it executes the rule Admin-True
- SetTaskSequenceUser – Determines is the user is member of the “MDT_User” group. If so it executes the rule User-True
- SetTaskSequenceDefault – Is always executed and sets the selection profile to “TS-None” which will display no task sequences (an empty task sequence)
- Default – Set default settings which should apply to all task sequences
- Admin-True – Is executed if the user is member of the AD group “MDT_Admin” and sets the WizardSelectionProfile to “TS-All”
- User-True – Is executed if the user is member of the AD group “MDT_User” and sets the WizardSelectionProfile to “TS-Image”
[Settings] Priority=INT,SetTaskSequenceAdmin,SetTaskSequenceUser,SetTaskSequenceDefault,Default Properties=MyCustomProperty,IsGroupMemberAdmin,UsersGroupAdmins,IsGroupMemberUser,UsersGroupUsers, Username, Groupname [INT] UsersGroupAdmins=MDT_Admin UsersGroupUsers=MDT_User [SetTaskSequenceAdmin] WebService=http://MDT.domain.local/Deployment%20Webservice/ad.asmx/IsUserGroupMember Parameters=UserID,UsersGroupAdmins UserID=Username UsersGroupadmins=Groupname IsGroupMemberAdmin=boolean SubSection=Admin-%IsGroupMemberAdmin% [SetTaskSequenceUser] WebService=http://MDT.domain.local/Deployment%20Webservice/ad.asmx/IsUserGroupMember Parameters=UserID,UsersGroupUsers UserID=Username UsersGroupUsers=Groupname IsGroupMemberUser=boolean SubSection=User-%IsGroupMemberUser% [Admin-True] WizardSelectionProfile=TS-All [User-True] WizardSelectionProfile=TS-Image [SetTaskSequenceDefault] WizardSelectionProfile=TS-None
Installation of the Maik Koster’s web service is explained in the Installation Guide. However it did took me a while to find out how I could run the web service on II 7.5 (Windows Server 2012). Here are the steps that I followed:
- Install the Web Server (IIS) – Web Server role with (at least) the following features
- Download and extract the content of the web service on a local folder of the web server (for instance C:\MDT)
- Open the Internet Information Services (IIS) Manager
- In the Application Pools section click on Add Application Pool
- Create an application pool with the name Deployment Webservice
- Select the newly created application pool Deployment Webservice and click on Advanced Settings
- In the advanced settings change the Identity from ApplicationPoolIdentity to an Active Directory account that has sufficient permissions to query the AD
- In the Default Web Site (for example) click on Add Application
- Create an application with the following properties
To verify if the web service is working you can open your browser and navigate to http://MDT.domain.local/Deployment WebService/ad.asmx. This should show you something similar to this:
Was once an enthusiastic PepperByte employee but is now working at Citrix. His blogs are still valuable to us and we hope to you too.