Create SCCM Device Collection Based On AD Security Group Membership

In this article I will show you how to create a device collection in SCCM based on an AD Security Group Membership.

A few days ago I was asked to create an SCCM device collection where it pulled the members from an AD group. I thought this will be easy to setup.

I was wrong, its not as strait forward as you would think.  Below I will show you how to do it.

Create SCCM Device Collection Based On AD Security Group Membership

To create an SCCM device collection based on an AD Security group membership follow these steps.

  • First step is to open “Active Directory Users and Computers”
  • Create an AD security group, Give a group name, Make sure Group scope is set to Global and group type set to security
    active directory users and computers
  • Now add the required users and machines in to this AD group
    ad group membership
  • Next open the configuration manager console and go to \Administration\Overview\Hierarchy Configuration\Discovery Methods, Make sure the “Active Directory Group Discovery” is enabled, then right click on “Active Directory Group Discovery” and click “Run Full Discovery Now”
    sccm AD group discovery
  • Now go to \Assets and Compliance\Overview\Device Collections, Click on Create Device Collection
  • Give the device collection a name and select the limiting collection
    create device collection
  • Click Next
  • Select add rule and click Query Rule
    query rule
  • Give the Query a name, then click on Edit Query Statement
    query rule name
  • Click on the Criteria tab, then click add (Sun icon)
    query statement properties
  • Click select
  • Attribute class : Select System Resource, then for Attribute : Select System Group Name
    select query attribute
  • Click ok
  • Make sure Operator is set to “is equal to” and in Value manually enter %DOMAINNAME%\%GROUPNAME% if you click on value you can browse the AD groups, But in my experience recently created groups take a long time to show in this list, and sometimes dont show at all. Bug possibly?
    sccm ad group name
  • Click ok
  • Click ok
  • Click ok
  • Click next
  • Click next
  • Click close
  • Right click on the device collection we created and click update membership
  • Right click on the device collection we created and click refresh
  • The device collection will now update with the machines in the AD group
    sccm collection with membership

One Comment

Add a Comment

Your email address will not be published.