Create SCCM Collection using AD Group – Part 3 | ConfigMgr

Let’s learn how to create the SCCM Collection using AD Group. The SCCM Dynamic collection can be created using AD Group.

In previous posts, I explained how to create static and dynamic collections. In this post, I will help you learn how to create an AD Group-Based SCCM Collection.

You must enable Active Directory Group discovery to use device collections based on Active Directory groups.

We can create an AD security group-based collection using dynamic and direct member query rules. You can also use the following method to create a dynamic SCCM Collection based on Active Directory OU | The Easy Way.

Patch My PC

How to Enable AD Security Group Discovery

You must enable Active Directory (AD) group discovery to create an AD group-based SCCM collection. If you have not enabled AD group discovery in your SCCM environment, you won’t be able to develop SCCM collections based on AD security groups.

I’ve explained this discovery process in the video tutorial.

When you specify an AD group to discover, SCCM discovers the members of that AD security group and any nested AD security groups.

Create SCCM Collection using AD Group – Part 3 | ConfigMgr – Video 1

SCCM Active Directory Group Discovery

SCCM generates a user group resource record for a specific group. This discovery happens when the selected group is an AD security group.

Open the SCCM Admin console and Navigate to \Administration\Overview\Hierarchy Configuration\Discovery Methods. Double-click or go to the properties of Active Directory Group Discovery.

In the Active Directory Group Discovery properties window, click on the checkmark near Enable Active Directory Group Discovery.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr - Fig.1
Create SCCM Collection using AD Group – Part 3 | ConfigMgr – Fig.1

Click the ADD button at the bottom of the Active Directory Group Discovery properties window. Select either Groups or Location.

Select Groups, as I don’t want to discover all the AD security Groups in my AD environment. I will test this with one or two AD groups.

  • Enter a Name for AD Security Group Discovery from the Add Group window
  • Click on the Browse button to select an AD security group
  • Select AD security Groups that you want to discover from the Select Groups windows
  • Click OK and OK to close the Window
Create SCCM Collection using AD Group - Part 3 | ConfigMgr - Fig.2
Create SCCM Collection using AD Group – Part 3 | ConfigMgr – Fig.2

SCCM Active Directory Group Discovery Issue

Troubleshooting related to AD security group discovery can be started from the log file called adsgdis.log. Following is some of the extracts of important lines of the AD security group discovery log file.

!!!!Valid Search Scope Name: App Deployment Group Search Path: LDAP://CN=APP DEPLOYMENT,CN=USERS,DC=INTUNE,DC=COM IsValidPath: TRUE

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.151-330><thread=3804 (0xEDC)>
Starting the data discovery.~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.153-330><thread=3804 (0xEDC)>
Connecting to site server’s (\\SCCM_Prod.Intune.com) registry~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.157-330><thread=3804 (0xEDC)>
INFO: DDR was written for group ‘INTUNE\App Deployment’ – C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asg29mn6.DDR at 8/13/2018 9:53:24.~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.511-330><thread=3804 (0xEDC)>
INFO: Successfully updated the Group membership tables for group ‘INTUNE\App Deployment’

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.030-330><thread=3804 (0xEDC)>
INFO: CADSource::fullSync returning 0x00000000~

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.108-330><thread=3804 (0xEDC)>
INFO: AD Discovery under container LDAP://CN=APP DEPLOYMENT,CN=USERS,DC=INTUNE,DC=COM found 1 objects

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.111-330><thread=3804 (0xEDC)>
INFO: Succeed to update immediate groups of search scope App Deployment Group into DB.

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.204-330><thread=3804 (0xEDC)>
INFO: Succeed to save all immediate search bases into DB.

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.250-330><thread=3804 (0xEDC)>
INFO: ——– Finished to process search scope (App Deployment Group) ——–

lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.256-330><thread=3804 (0xEDC)>

Video Tutorial – AD Group-Based SCCM Collection

Create SCCM Collection using AD Group – Part 3 | ConfigMgr – Video

Create Direct Membership for User Collection Using AD Security Group

I would recommend following the steps to complete the creation of the SCCM User Collection using the Active Directory user group.

Please ensure you have completed the AD User discovery before creating this user collection. I explain this discovery process in the video tutorial.

AD Group Based SCCM Collection process is given below:-

Navigate to the SCCM console –  Assets and Compliance – User Collections. Right-click and select “Create User Collection” from the Device Collections node.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr - Fig.3
Create SCCM Collection using AD Group – Part 3 | ConfigMgr – Fig.3

On the General page, provide a Name and a Comment. Then, in the Limiting collection, choose Browse to select a limiting collection. The collection will only contain members from that collection.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr - Fig.4
Create SCCM Collection using AD Group – Part 3 | ConfigMgr – Fig.4

On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select the type DIRECT membership rule for this collection. You can configure multiple rules for each collection.

Select Direct Rule in the Add Rule list on the Membership Rules page of the Create User Collection Wizard.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr – Fig.5

On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information: 7-10 steps. By the end of the 11th step, you can create a static AD Group-Based SCCM Collection.

Check the drop-down options for the Resource class: Select the type of resource you want to search for and add to the collection. Select from User Group Resource values to search for inventory data returned from client computers.

Check the drop-down options for Attribute name: Select the attribute associated with the selected resource class that you want to search for. For example, if you choose computers by their NetBIOS name, select Group User Resource in the Resource class list and Unique User Group Name in the Attribute name list.

Enter the Value: Enter a value for which you want to search the selected attribute name. You can use the percent character % as a wildcard. Click the NEXT button. For example, to search for computers with a NetBIOS name beginning with “M,” enter M% in this field.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 8

Select the AD Security Group you want to add as a member of the user collection on the Select Resources page. This group will be added to the Resources list collection, and then choose Next and NEXT to complete the wizard. 

NOTE:– If AD Group Discovery is not completed, you won’t be able to see any groups on this page.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 9

Click on Close and OK to complete the AD Security Group-based collection creation.

Create SCCM Collection using AD Group - Part 3 | ConfigMgr
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 10

End Result of Static Membership Query – AD Security Group Based User Collection:-

AD Group Based SCCM Collection – Direct Membership Rule. I’ve explained this discovery process in the video tutorial.

AD Group Based SCCM Collection End Result of Static Membership Query - AD Security Group Based User Collection:-
End Result of Static Membership Query – AD Security Group Based User Collection 11

[Related posts – What is Collection, How to Create SCCM Static Collections, and How to create dynamic collections?]

Create Dynamic Membership Query for User Collection Using AD Security Group

The second part of the AD Group-Based SCCM Collection creation is explained below. This user collection is created using a dynamic collection WQL query. You may need to keep the default update schedule for this type of use collection.

I’ve explained this discovery process in the video tutorial.

Navigate to the SCCM console –  Assets and Compliance – User Collections. Right-click and select “Create User Collection” from the User Collections node.

On the General page, provide a Name and a Comment. Then, in the Limiting collection, choose Browse to select a limiting collection. The collection will only contain members from that collection.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 12

On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select the Query Rule membership rule type for this collection. You can configure multiple rules for each collection.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 13

On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select Query Rule.

On the Query Rule Properties windows, specify the following information. Name: Specify a unique name. By the end of the 11th step, you can create a dynamic AD Group Based SCCM Collection.

Resource class: Select the type of resource you want to search for and add to the collection. You must select User Resource to create a Dynamic User Collection in SCCM.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 14

Click Edit Query Statement to open the Query Statement Properties dialog box, where you can create a query to use as the rule for the SCCM user dynamic collection.

On Query Statement Properties, click on the Criteria tab. Click on the Criteria Properties dialog and click on the * button to start creating dynamic rules on the Criteria Properties dialog.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 15
  • Select Criteria Value as Simple Value.
  • The dialog box clicks the Select button on the Criteria Properties to open the Attribute Dialog box.
  • On the Attribute Dialog box, select the Attribute class as User Resource and Alias as = No Alias.
  • Select Attribute as Security Group. Click OK to close the Select Attribute Dialog box.
Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 16

The dialog box selects Operator “is equal to ” on the Criteria Properties. “ Is Like is not the operator which gives you the best performance.

Click on the Value button and find out the available AD security groups. Select the AD security group for your collection creation.

Create Dynamic Membership Query for User Collection Using AD Security Group
Create Dynamic Membership Query for User Collection Using AD Security Group 17

WQL Query Based on AD Security Group Collection

Let’s find the details of the WQL query based on the AD security SCCM collection.

select *  from  SMS_R_User where SMS_R_User.SecurityGroupName = "Anoop - Test Users Group"
WQL Query Based on AD Security Group Collection
WQL Query Based on AD Security Group Collection 18

Complete – AD Group-based SCCM Collection

Let’s complete the Complete – AD Group-based SCCM Collection.

Click OK, OK, and OK to close all dialog boxes on the Membership Rule page and click on NEXT. Click NEXT, NEXT, and Close to finish the Create User Collection Wizard.

Complete - AD Group based SCCM Collection
Complete – AD Group based SCCM Collection 19

End Result of SCCM User Collection Based on Query Rule

The AD Group-Based SCCM Collection with query rule dynamic member rule results are below.

select * from SMS_R_User where SMS_R_User.SecurityGroupName = “INTUNE\\App Deployment”

Create AD Group Based SCCM Collection
Create SCCM Collection using AD Group – Part 3 | ConfigMgr 20

Resources

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

9 thoughts on “Create SCCM Collection using AD Group – Part 3 | ConfigMgr”

  1. Hey, another great article thank-you! This is very interesting.

    The only reason I can think of not to use direct membership for AD groups is for uninstalls.

    We use AD groups + query rule to populate, and an uninstall collection which populates if the software is installed but is not a member of the “install” collection (exclude rule).

    So I guess my question is, is there a way you can think of to cater for automatically uninstalling applications if a user is removed from the AD group?

    Reply
  2. Hi, great article. We use AD groups to populate patching device collections via a query. As such, a server must only be in one AD group to pick up an appropriate maintenance window. Do you know of a way to check if a server is in multiple device collections (so I can weed out my finger faults!)? Thanks

    Reply
  3. Hi Anoop! I tried this method and it works well in the AD security group, it also replicates the number of members in the collection vs the number in AD Security group. But my problem is when I remove or delete a member in the AD Security group, it does not replicated in the collection. Am I doing something wrong?

    Reply
    • Ah ok … does this mean it doesn’t remove the members of collection if you change some membership changes in ad group. I don’t think there is any specific configuration you need to put in for this. I don’t remember whether I tested this scenario or not. Did you see some details in the log files ? Also did you try full sync ?

      Reply
  4. I see based on group type attribute, you are using global scope security groups…have you had success with Domain Local and Universal as well? and/or nested group membership?

    I am having real troubles figuring out why this isn’t working for Domain local at the moment.

    Reply

Leave a Comment