Create AD Group Based SCCM Collection – Part 3

By
Anoop C Nair
-
7
Create AD Group Based SCCM Collections

I have explained how to create static and dynamic collections in the previous posts. In this post, I will help you to learn how to create an AD Group Based SCCM Collection. We can create AD security group based collection using dynamic and direct member query rules.

[Related posts – What is Collection, How to Create SCCM Static Collections and How to create dynamic collections?]

How to Enable AD Security Group Discovery

You need to enable Active Directory (AD) group discovery to create AD group based SCCM collection. If you have not enabled AD group discovery in your SCCM environment, you won’t be able to create SCCM collections based on AD security groups. I’ve explained this discovery process in the video tutorial.

parallels

When you specify a group to discover, SCCM discovers the members of that AD security group and any nested AD security groups. SCCM generates a user group resource record for a specific group. This discovery happens when the selected group is an AD security group.

  1. Open SCCM Admin console and Navigate to \Administration\Overview\Hierarchy Configuration\Discovery Methods
  2. Double click or go to properties of Active Directory Group Discovery
  3. Active Directory Group Discovery properties window click on check mark near to Enable Active Directory Group discovery
  4. Click on ADD button at the bottom of the Active Directory Group Discovery properties window. Select either Groups or Location
  5. Select Groups as I don’t want to discover all the AD security Groups in my AD environment. I will test this will one or two AD groups
  6. Enter a Name for AD Security Group Discovery from Add Group window
  7. Click on Browse button to select an AD security group
  8. Select AD security Groups which you want to discover from Select Groups windows
  9. Click OK and OK to close the Window

AD Group Based SCCM Collection

Troubleshooting related to AD security group discovery can be started from the log file called adsgdis.log. Following is some of the extracts of important lines of the AD security group discovery log file.

!!!!Valid Search Scope Name: App Deployment Group Search Path: LDAP://CN=APP DEPLOYMENT,CN=USERS,DC=INTUNE,DC=COM IsValidPath: TRUE
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.151-330><thread=3804 (0xEDC)>
 Starting the data discovery.~ 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.153-330><thread=3804 (0xEDC)>
 Connecting to site server’s (\\SCCM_Prod.Intune.com) registry~ 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.157-330><thread=3804 (0xEDC)>
 INFO: DDR was written for group ‘INTUNE\App Deployment’ – C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asg29mn6.DDR at 8/13/2018 9:53:24.~ 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:25.511-330><thread=3804 (0xEDC)>
 INFO: Successfully updated the Group membership tables for group ‘INTUNE\App Deployment’ 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.030-330><thread=3804 (0xEDC)>
 INFO: CADSource::fullSync returning 0x00000000~ 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.108-330><thread=3804 (0xEDC)>
 INFO: AD Discovery under container LDAP://CN=APP DEPLOYMENT,CN=USERS,DC=INTUNE,DC=COM found 1 objects 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.111-330><thread=3804 (0xEDC)>
 INFO: Succeed to update immediate groups of search scope App Deployment Group into DB. 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.204-330><thread=3804 (0xEDC)>
 INFO: Succeed to save all immediate search bases into DB. 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.250-330><thread=3804 (0xEDC)>
 INFO: ——– Finished to process search scope (App Deployment Group) ——– 
lt;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT><08-13-2018 09:53:26.256-330><thread=3804 (0xEDC)>
Video Tutorial – AD Group Based SCCM Collection
Create Direct Membership for User Collection Using AD Security Group
I would recommend following steps to complete the creation of SCCM User Collection using Active Directory user group. Make sure you have completed the AD User discovery before starting this user collection creation. I’ve explained this discovery process in the video tutorial.
AD Group Based SCCM Collection process is given below:-
  1. Navigate to SCCM console –  Assets and Compliance – User Collections
  2. Right-click and select “Create User Collection” from Device Collections node
  3. On the General page provide a Name and a Comment. Then, in Limiting collection, choose to Browse to select a limiting collection. The collection will only contain members from the limiting collection.
  4. On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select the type DIRECT membership rule for this collection. You can configure multiple rules for each collection.
  5. On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select Direct Rule.
  6. On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information: 7-10 steps. By the end of 11th step, you would be able to create a static AD Group Based SCCM Collection.AD Group Based SCCM Collection
  7. Check the drop-down options for Resource class: Select the type of resource you want to search for and add to the collection. Select from User Group Resource values to search for inventory data returned from client computers.
  8. Check the drop-down options for Attribute name: Select the attribute associated with the selected resource class that you want to search for. For example, if you want to select computers by their NetBIOS name, select User Group Resource in the Resource class list and Unique User Group Name in the Attribute name list.
  9. Enter the Value: Enter a value for which you want to search the selected attribute name. You can use the percent character % as a wildcard. Click the NEXT button. For example, to search for computers that have a NetBIOS name beginning with “M”, enter M% in this field.
  10. On the Select Resources page, select the AD Security Group you want to add as a member of user collection. This group will get added to the collection in the Resources list, and then choose Next and NEXT to complete the wizard. NOTE:– If AD Group Discovery is not completed, you won’t be able to see any groups in this page.
  11. Click on Close and OK to complete the creation of the AD Security Group based collection.
End Result of Static Membership Query – AD Security Group Based User Collection:-
AD Group Based SCCM Collection – Direct Membership Rule. I’ve explained this discovery process in the video tutorial.
AD Group Based SCCM Collection
[Related posts – What is Collection, How to Create SCCM Static Collections and How to create dynamic collections?]
Create Dynamic Membership Query for User Collection Using AD Security Group
The second part of the AD Group Based SCCM Collection creation is explained in the below section. This user collection is created using a dynamic collection WQL query. You may need to keep the default update schedule for this type of use collections.
I’ve explained this discovery process in the video tutorial.
  1. Navigate to SCCM console –  Assets and Compliance – User Collections
  2. Right-click and select “Create User Collection” from User Collections node
  3. On the General page provide a Name and a Comment. Then, in Limiting collection, choose to Browse to select a limiting collection. The collection will only contain members from the limiting collection.
  4. On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select the type Query Rule membership rule for this collection. You can configure multiple rules for each collection.
  5. On the Membership Rules page of the Create User Collection Wizard, in the Add Rule list, select Query Rule.
  6. On the Query Rule Properties windows, specify the following information: 7-16 steps.
  7. Name: Specify a unique name. By the end of the 11th step, you would be able to create a dynamic AD Group Based SCCM Collection.
  8. Resource class: Select the type of resource you want to search for and add to the collection. You have to select User Resource to create Dynamic User Collection in SCCM.
  9. Click Edit Query Statement to Opens the Query Statement Properties dialog box where you can create a query to use as the rule for the SCCM user dynamic collection.AD Group Based SCCM Collection
  10. On Query Statement Properties click on Criteria tab.
  11. On Criteria Properties dialog box Criteria value as Simple Value.
  12. On Criteria Properties dialog box click on the Select button to open Attribute Dialog box.
  13.  On Attribute Dialog box Select Attribute class as User Resource, Alias as = No Alias, and Attribute as Security Group. Click OK to close Select Attribute Dialog box.
  14. On Criteria Properties dialog box select Operator “is equal to“. Is Like is not the operator which gives you the best performance.
  15. Click on Value button and find out the available AD security groups. Select the AD security group for your collection creation.
  16. Click OK OK OK to close all dialog boxes.
  17. On Membership Rule page click on NEXT.
  18. Click NEXT NEXT and Close to finish the Create User Collection Wizard.
End Result of SCCM User Collection Based on Query Rule
The AD Group Based SCCM Collection with query rule dynamic member rule results are given below.
select * from SMS_R_User where SMS_R_User.SecurityGroupName = “INTUNE\\App Deployment”
Create AD Group Based SCCM Collection
[Related posts – What is Collection, How to Create SCCM Static Collections and How to create dynamic collections?]
Resources:-
RELATED ARTICLESMORE FROM AUTHOR
7 COMMENTS
  1. Hey, another great article thank-you! This is very interesting.
    The only reason I can think of not to use direct membership for AD groups is for uninstalls.
    We use AD groups + query rule to populate, and an uninstall collection which populates if the software is installed but is not a member of the “install” collection (exclude rule).
    So I guess my question is, is there a way you can think of to cater for automatically uninstalling applications if a user is removed from the AD group?
  4. Hi, great article. We use AD groups to populate patching device collections via a query. As such, a server must only be in one AD group to pick up an appropriate maintenance window. Do you know of a way to check if a server is in multiple device collections (so I can weed out my finger faults!)? Thanks
  5. Hi Anoop! I tried this method and it works well in the AD security group, it also replicates the number of members in the collection vs the number in AD Security group. But my problem is when I remove or delete a member in the AD Security group, it does not replicated in the collection. Am I doing something wrong?
    • Ah ok … does this mean it doesn’t remove the members of collection if you change some membership changes in ad group. I don’t think there is any specific configuration you need to put in for this. I don’t remember whether I tested this scenario or not. Did you see some details in the log files ? Also did you try full sync ?
LEAVE A REPLY 
Please enter your comment!
 
Please enter your name here
 
 
 
  
This site uses Akismet to reduce spam. Learn how your comment data is processed.