Create SCCM Collection using AD Group – Part 3 | ConfigMgr

Let’s learn how to create the SCCM Collection using AD Group. The SCCM Dynamic collection can be created using AD Group.

I have explained how to create static and dynamic collections in the previous posts. In this post, I will help you learn how to create an AD Group Based SCCM Collection.

We can create an AD security group-based collection using dynamic and direct member query rules. You can also use the following method to create a dynamic SCCM Collection based on Active Directory OU | The Easy Way.

[Related posts – What is Collection, How to Create SCCM Direct Membership Collections, and How to create dynamic collections?]

Patch My PC

How to Enable AD Security Group Discovery

You need to enable Active Directory (AD) group discovery to create an AD group-based SCCM collection. If you have not enabled AD group discovery in your SCCM environment, you won’t be able to develop SCCM collections based on AD security groups.

I’ve explained this discovery process in the video tutorial.

Create SCCM Collection using AD Group – Part 3 | ConfigMgr 1

When you specify an AD group to discover, SCCM discovers the members of that AD security group and any nested AD security groups.

SCCM Active Directory Group Discovery

SCCM generates a user group resource record for a specific group. This discovery happens when the selected group is an AD security group.

Adaptiva

Open the SCCM Admin console and Navigate to \Administration\Overview\Hierarchy Configuration\Discovery Methods. Double click or go to properties of Active Directory Group Discovery.

Active Directory Group Discovery properties window click on checkmark near Enable Active Directory Group Discovery.

SCCM Active Directory Group Discovery Create SCCM Collection using AD Group - Part 3 | ConfigMgr
SCCM Active Directory Group Discovery Create SCCM Collection using AD Group – Part 3 | ConfigMgr 2

Click on ADD button at the bottom of the Active Directory Group Discovery properties window. Select either Groups or Location.

Select Groups as I don’t want to discover all the AD security Groups in my AD environment. I will test this will one or two AD groups.

Enter a Name for AD Security Group Discovery from Add Group window

Click on the Browse button to select an AD security group

Select AD security Groups that you want to discover from Select Groups windows

Click OK and OK to close the Window

AD Group Based SCCM Collection Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr Create SCCM Collection using AD Group – Part 3 | ConfigMgr 3

SCCM Active Directory Group Discovery Issue

Troubleshooting related to AD security group discovery can be started from the log file called adsgdis.log. Following is some of the extracts of important lines of the AD security group discovery log file.

!!!!Valid Search Scope Name: App Deployment Group Search Path: LDAP://CN=APP DEPLOYMENT,CN=USERS,DC=INTUNE,DC=COM IsValidPath: TRUE

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.151-330><thread=3804 (0xEDC)>
Starting the data discovery.~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.153-330><thread=3804 (0xEDC)>
Connecting to site server’s (\\SCCM_Prod.Intune.com) registry~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.157-330><thread=3804 (0xEDC)>
INFO: DDR was written for group ‘INTUNE\App Deployment’ – C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asg29mn6.DDR at 8/13/2018 9:53:24.~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.511-330><thread=3804 (0xEDC)>
INFO: Successfully updated the Group membership tables for group ‘INTUNE\App Deployment’

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.030-330><thread=3804 (0xEDC)>
INFO: CADSource::fullSync returning 0x00000000~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.108-330><thread=3804 (0xEDC)>
INFO: AD Discovery under container LDAP://CN=APP DEPLOYMENT,CN=USERS,DC=INTUNE,DC=COM found 1 objects

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.111-330><thread=3804 (0xEDC)>
INFO: Succeed to update immediate groups of search scope App Deployment Group into DB.

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.204-330><thread=3804 (0xEDC)>
INFO: Succeed to save all immediate search bases into DB.

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.250-330><thread=3804 (0xEDC)>
INFO: ——– Finished to process search scope (App Deployment Group) ——–

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.256-330><thread=3804 (0xEDC)>

Video Tutorial – AD Group Based SCCM Collection

Create SCCM Collection using AD Group – Part 3 | ConfigMgr 4

Create Direct Membership for User Collection Using AD Security Group

I would recommend following steps to complete the creation of SCCM User Collection using Active Directory user group.

Make sure you have completed the AD User discovery before starting this user collection creation. I’ve explained this discovery process in the video tutorial.

AD Group Based SCCM Collection process is given below:-

Navigate to the SCCM console –  Assets and Compliance – User Collections. Right-click and select “Create User Collection” from the Device Collections node.

Create Direct Membership for User Collection Using AD Security Group
Create Direct Membership for User Collection Using AD Security Group 5

On the General page, provide a Name and a Comment. Then, in Limiting collection, choose to Browse to select a limiting collection. The collection will only contain members from the limiting collection.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 6

On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select the type DIRECT membership rule for this collection. You can configure multiple rules for each collection.

On the Membership Rules page of the Create User Collection Wizard, select Direct Rule in the Add Rule list.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 7

On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information: 7-10 steps. By the end of the 11th step, you will be able to create a static AD Group Based SCCM Collection.

Check the drop-down options for the Resource class: Select the type of resource you want to search for and add to the collection. Select from User Group Resource values to search for inventory data returned from client computers.

Check the drop-down options for Attribute name: Select the attribute associated with the selected resource class that you want to search for. For example, if you choose computers by their NetBIOS name, select Group User Resource in the Resource class list and Unique User Group Name in the Attribute name list.

Enter the Value: Enter a value for which you want to search the selected attribute name. You can use the percent character % as a wildcard. Click the NEXT button. For example, to search for computers with a NetBIOS name beginning with “M,” enter M% in this field.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 8

Select the AD Security Group you want to add as a member of the user collection on the Select Resources page. This group will get added to the collection in the Resources list, and then choose Next and NEXT to complete the wizard. 

NOTE:– If AD Group Discovery is not completed, you won’t be able to see any groups on this page.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 9

Click on Close and OK to complete the creation of the AD Security Group-based collection.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 10

End Result of Static Membership Query – AD Security Group Based User Collection:-

AD Group Based SCCM Collection – Direct Membership Rule. I’ve explained this discovery process in the video tutorial.

AD Group Based SCCM Collection End Result of Static Membership Query - AD Security Group Based User Collection:-
End Result of Static Membership Query – AD Security Group Based User Collection 11

[Related posts – What is Collection, How to Create SCCM Static Collections, and How to create dynamic collections?]

Create Dynamic Membership Query for User Collection Using AD Security Group

The second part of the AD Group Based SCCM Collection creation is explained below. This user collection is created using a dynamic collection WQL query. You may need to keep the default update schedule for this type of use collection.

I’ve explained this discovery process in the video tutorial.

Navigate to the SCCM console –  Assets and Compliance – User Collections. Right-click and select “Create User Collection” from the User Collections node.

On the General page, provide a Name and a Comment. Then, in Limiting collection, choose to Browse to select a limiting collection. The collection will only contain members from the limiting collection.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 12

On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select the type Query Rule membership rule for this collection. You can configure multiple rules for each collection.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 13

On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select Query Rule.

On the Query Rule Properties windows, specify the following information. Name: Specify a unique name. By the end of the 11th step, you will be able to create a dynamic AD Group Based SCCM Collection.

Resource class: Select the type of resource you want to search for and add to the collection. You have to select User Resource to create a Dynamic User Collection in SCCM.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 14

Click Edit Query Statement to open the Query Statement Properties dialog box, where you can create a query to use as the rule for the SCCM user dynamic collection.

On Query Statement Properties, click on the Criteria tab. Click on the Criteria Properties dialog and click on the * button to start creating dynamic rules on the Criteria Properties dialog.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 15
  • Select Criteria value as Simple Value.
  • The dialog box clicks on the Select button on the Criteria Properties to open the Attribute Dialog box.
  • On the Attribute Dialog box, Select Attribute class as User Resource, Alias as = No Alias.
  • Select Attribute as Security Group. Click OK to close the Select Attribute Dialog box.
Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 16

The dialog box selects Operator “is equal to ” on the Criteria Properties. “ Is Like is not the operator which gives you the best performance.

Click on the Value button and find out the available AD security groups. Select the AD security group for your collection creation.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 17

WQL Query Based on AD Security Group Collection

Let’s find the details of the WQL query based on AD security SCCM collection.

select *  from  SMS_R_User where SMS_R_User.SecurityGroupName = "Anoop - Test Users Group"
WQL Query Based on AD Security Group Collection
WQL Query Based on AD Security Group Collection 18

Complete – AD Group based SCCM Collection

Let’s complete the Complete – AD Group-based SCCM Collection.

Click OK, OK, and OK to close all dialog boxes on the Membership Rule page click on NEXT. Click NEXT, NEXT, and Close to finish the Create User Collection Wizard.

Complete - AD Group based SCCM Collection
Complete – AD Group based SCCM Collection 19

End Result of SCCM User Collection Based on Query Rule

The AD Group Based SCCM Collection with query rule dynamic member rule results are below.

select * from SMS_R_User where SMS_R_User.SecurityGroupName = “INTUNE\\App Deployment”

Create AD Group Based SCCM Collection
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 20

[Related posts – What is Collection, How to Create SCCM Static Collections, and How to create dynamic collections?]

Resources

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

9 thoughts on “Create SCCM Collection using AD Group – Part 3 | ConfigMgr”

  1. Hey, another great article thank-you! This is very interesting.

    The only reason I can think of not to use direct membership for AD groups is for uninstalls.

    We use AD groups + query rule to populate, and an uninstall collection which populates if the software is installed but is not a member of the “install” collection (exclude rule).

    So I guess my question is, is there a way you can think of to cater for automatically uninstalling applications if a user is removed from the AD group?

    Reply
  2. Hi, great article. We use AD groups to populate patching device collections via a query. As such, a server must only be in one AD group to pick up an appropriate maintenance window. Do you know of a way to check if a server is in multiple device collections (so I can weed out my finger faults!)? Thanks

    Reply
  3. Hi Anoop! I tried this method and it works well in the AD security group, it also replicates the number of members in the collection vs the number in AD Security group. But my problem is when I remove or delete a member in the AD Security group, it does not replicated in the collection. Am I doing something wrong?

    Reply
    • Ah ok … does this mean it doesn’t remove the members of collection if you change some membership changes in ad group. I don’t think there is any specific configuration you need to put in for this. I don’t remember whether I tested this scenario or not. Did you see some details in the log files ? Also did you try full sync ?

      Reply
  4. I see based on group type attribute, you are using global scope security groups…have you had success with Domain Local and Universal as well? and/or nested group membership?

    I am having real troubles figuring out why this isn’t working for Domain local at the moment.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.