SCCM - User and Device Collections based on AD Groups

User and Device Collections based on AD Groups are useful when it comes to deploying applications and you do not want to give permissions to the Management Console to everyone.

To create a User of Device collection based on an Active Directory group you need to:

1) Create your new Device or User Collection
2) Give this a name
3) Under Membership Rules you need to create a "Query Rule"
Enter the following query and click OK (note the AD group used in this example is DOMAIN\GROUPNAME and the \\ is intentional)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "DOMAIN\\GROUPNAME"

4) Tick the "Use incremental updates for this collection" checkbox

If for any reason the members are not being discovered please ensure you have Active Directory Group Discovery enabled (check your delta interval to ensure it is of an appropriate timing otherwise you can be waiting for SCCM to update from AD). Make sure you have "Discover objects with Active Directory groups" enabled within the "Active Directory Container" properties of the "Active Directory User Discovery".

Comments