How To Create SCCM Collection Based on AD Security Group

Jason Barrett Jason Barrett | | Device Collection

In this article I will show you how to create a device collection in SCCM based on an AD Security Group Membership.

A few days ago I was asked to create an SCCM device collection where it pulled the members from an AD group. I thought this will be easy to setup.

I was wrong, its not as strait forward as you would think. I believe there is currently a bug in SCCM which I have found a workaround. Below I will show you how to do it.

How To Create SCCM Collection Based on AD Security Group

To create an SCCM device collection based on an AD Security group membership follow these steps.

  1. First step is to open “Active Directory Users and Computers”
  2. Create an AD security group, Give a group name, Make sure Group scope is set to Global and group type set to security
    active-directory-users-and-computers
  3. Now add the required machines in to this AD group
    ad-group-membership
  4. Next open the configuration manager console
  5. Go to \Administration\Overview\Hierarchy Configuration\Discovery Methods
  6. Make sure the “Active Directory Group Discovery” is enabled, then right click on “Active Directory Group Discovery” and click “Run Full Discovery Now”
    sccm-AD-group-discovery
  7. Now go to \Assets and Compliance\Overview\Device Collections
  8. Click on Create Device Collection
  9. Give the device collection a name and select the limiting collection
    create-device-collection-1
  10. Click Next
  11. Select add rule and click Query Rule
    query-rule
  12. Give the Query a name, then click on Edit Query Statement
    query-rule-name
  13. Click on the Criteria tab, then click add (Sun icon)
    query-statement-properties
  14. Click select
  15. Attribute class = Select System Resource
  16. Attribute = System Group Name
    select-query-attribue
  17. Click ok
  18. Make sure Operator is set to “is equal to” and in Value manually enter %DOMAINNAME%\%GROUPNAME% if you click on value you can browse the AD groups, But in my experience recently created groups take a long time to show in this list, and sometimes dont show at all. Bug possibly?
    sccm-ad-group-name
  19. Click ok
  20. Click ok
  21. Click ok
  22. Click next
  23. Click next
  24. Click close
  25. Right click on the device collection we created and click update membership
  26. Right click on the device collection we created and click refresh
  27. The device collection will now update with the machines in the AD group

Leave a Comment