Tag Archives: collection

ConfigMgr–User collection and direct membership for Security Group

Roger Zander wrote a brilliant article on Collections in Configuration Manager and some knowledge that aids in designing collection structure to reduce the workload of the ConfigMgr hierarchy.

One thing that I remember evaluating a few years back was to leverage direct memberships to a Active Directory Security Groups to reduce the total evaluation time for collections. After a brief discussion I noted that there wasn’t any guide on howto create this manually (found a scripted method on SCUG.BE) for User Collections.


As a prerequisite the AD Security Group has to be discovered resource. You can review the collection members of “All Users and User Groups” and see what groups are discovered – if what you are looking for isn’t there most likely you are required to tweak the AD Discovery methods you are using.

Create the collection

Once the resource is located you can choose to create a new collection and set the limiting collection to “All Users and User Groups”.


All updates (full and incremental) can be removed to avoid any type of load. Choose to add a Direct Rule.


Change the default search for Resource class and Attribute name to User Group Resource and User Group Name. Enter the value you want and search all the resources you want to select.


Once the collection is created only a single resource is a member:


Ups and downs

The alternative that is mostly used when searching the web is to create a query rule that requires that collection to be updated (either a full schedule, incremental or an external trigger). Whats the difference between these methods?

Query rule

A query requires that AD Discovery has updated the group memberships in the database (full or incremental – both will suffice) and once that is completed the collection has to be updated. Quite common (based on all the blog-articles) is to set an Incremental update for all collections that require a fast update. The limit for this is (according to ConfigMgr 2012 documentation) roughly 200 collections depending and inaddition the queue will increase with updates.

Before the collection reflects the AD Security Group change there has passed a few minutes and once all the bells and whistles are done – the deployment is available for the user.

Direct Rule

A direct rule will not require that the collection is updated at all, however if the AD Security Group is recreated it is required to update the collection with a new direct rule (as the resource will have a new ID).

The user will not receive any deployments until their kerberos ticket has the AD Security Group membership update reflected. Most commonly this only happens during a lock / unlock or logoff / logon.

SCCM 2012, Software Center and applications made available to users

As noted quite early in the marketing for SCCM 2012 there was a change on how users were presented with available applications. The fundamental change is that any software made available (as opposed to required) were only presented in the new Application Catalog. Microsoft posted a blog-article detailing the different scenarios that could happen, which presents a good overview table on what is seen where when deployed to different resources.

As opposed to start communicating users to either use Application Catalog or Software Center depending on how we have decided to target the users or the computers within SCCM, a better way would be to leverage the traditional method of targeting computers. If targeting computers any software made available will be presented in Software Center, however SCCM 2012 has also been released with the mindset to start handling users – and not computers.

What to do?

Use SCCM to target software to the user’s devices. This would avoid the following topics in the forums; user-based available application not showing up in Software Center by design?!

Previously a few blog-articles have discussed this method for targeting Software Updates and a few rare occasions have shown up with no specific purpose.

To boil it down we will be leveraging the fact that SCCM can track users primary devices and thereby maintaining a relationship between devices and users. This method will allow us to query the database for the following information;

All the devices for users belonging to AD-group X.

Create a collection with the below query and this will allow you to provision software to users, but target their computers.

select SMS_R_SYSTEM.ResourceID,
from SMS_R_System
JOIN SMS_UserMachineRelationship ON
SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName
WHERE   SMS_UserMachineRelationship.Types=1
AND   SMS_R_User.UserGroupName="DOMAIN\\AD-GROUP"