Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Deploy based on AD User Group?

Sorry if this has been already covered but i'm trying to see if our new PDQ Deploy/Inventory setup can handle a specific use case we may have.   I know I can setup Dynamic Computer groups based on various criteria and that is working well so far.

We are looking for a way to deploy a base Windows 10 laptop to our users and have an automated way to deploy different applications to the users laptop based on if that user is in a member User AD Group (or if anyone has a suggestion for a better way to do it).  Most likely the laptops would all be in the same AD OU (or departmental) but not all machines in that OU would require the same applications so not as simple as a computer target group.   Not sure if PDQ can do something like this?



Date Votes
  • We run it that way. It's a little tricky but it does work:

    In AD I create a Global Security group for every package we need to be able to distribute this app_WS_Chrome. You put the computers in this group - not the users.

    In PDQ Inventory I create a Dynamic Collection matching each AD group with the following filter, ie.:

    All -> Member of AD Group -> Name -> Equals -> app_WS_Chrome

    Under this collection I create collection called Not installed. It's a Drill down from parent collection containing PC's which do not have the application installed, ie:

    Not Any -> Application -> Name -> Starts With -> Google Chrome

    In PDQ Deplpy I create a schedule for each group, ie.:

    AutoInstall [app_WS_Chrome] Google Chrome

    Target Collection: app_WS_Chrome -> Not Installed

    Packages: Google Chrome

    Trigger: Heartbeat

    The trigger is currently the weak point, as you'll probably prefer PDQ to scan your AD (to get new AD group members, then trigger the PDQ Deploy schedule). PDQ doesn't really support this, so I created a small PowerShell script which is triggered every ten minuts via Windows Task Scheduler. What is does is:

    1. Trigger ADSync (PDQInventory ADSync -StartSync)
    2. Wait for sync to finish (watch modified date of C:\ProgramData\Admin Arsenal\PDQ Inventory\ADSync.log)
    3. Check if there are any members in any of the Not installed collections ($collections=PDQInventory GetAllCollections | where {$_ -match 'Not installed'}
    4. If there is, trigger all Deploy schedules (PDQDeploy StartSchedule -ScheduleId $sch).

    For the last trigger step I get the schedule ID's with 

    $schedules = PDQDeploy GetSchedules | where {$_ -match 'app_WS'}

    , then iterate through triggering each one.

    Anyway, it's not perfect but it does work :)


  • I know this is an old post. I was trying to follow it and I have 2 questions.

    I've included All Groups as part of my Inventory sync, but I don't see any groups after, only the parent folder. Inventory doesn't seem to know about my security groups. Thoughts?

    I need clarification on the statement below. Is this collection supposed to be filtered from the parent collection and what is applied to this collection? Mine isn't passing the filter along from the parent.

    Under this collection I create collection called Not installed. It's a Drill down from parent collection containing PC's which do not have the application installed, ie:

    Any help is appreciated.