Collection with an AD group containing computer objects - client doesn't receive advertisement
-
Monday, October 12, 2009 12:21 PMHello -
I suspect I am missing something easy or what I am doing cannot be done. Historically, we have deployed apps to users and we are trying to embrace deployment to computer objects instead. We are trying to make management of this as easy as possible:
If our collection contains a direct-membership computer object, the client receives the advertisement without a problem.
To make it easier to manage, we created an AD group that contains computer objects, not users. We added this AD group as a direct member of the SCCM collection. The client never receives the advertisement.
All of the AD discovery methods are enabled and running daily. We let 3 days pass before posting here so it can't be a timing issue.
When using AD groups within SCCM, can it only use user objects or am I missing something?
Thanks in advance for the help.
Answers
-
Monday, October 12, 2009 12:41 PMModerator I've never tried to use direct membership in that case. A query based collection should work. Try something like
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "domain\\ADgroup"
instead.- Marked As Answer by BhaskarK - MSFTModerator Monday, October 12, 2009 2:54 PM
All Replies
-
Monday, October 12, 2009 12:35 PMThere could be several problems here so lets look at some of them.
After you update the AD group how long "should it take before the client installs" based on previous experiences?
What time does the AD group discovery take place
What time does the AD system discovery take place
What time does the collection update?
Are all clients having the same issue or just a a few?
Package program and Adv are not set to disable
What are the manditor adv settings?
What do the status messages for the client say, does it even say it received the policy to perfrorm the adv?
AD groups can use computers, just like OUs of computers.
http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com -
Monday, October 12, 2009 12:41 PMModerator I've never tried to use direct membership in that case. A query based collection should work. Try something like
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "domain\\ADgroup"
instead.- Marked As Answer by BhaskarK - MSFTModerator Monday, October 12, 2009 2:54 PM
-
Monday, October 12, 2009 1:23 PMI'll respond to both of you, thanks for your prompt responses:
Matthew -
AD can use groups for computers, sure. What I was trying to question was SCCM's terminology in that the resource type shown is "User Group" and I was wondering if it was ignoring computer objects if using an AD group and only looking for user objects inside that AD group. Odd, but maybe possible? :)
- Discovery methods are occuring daily at 12am.
- Collection has just been manually updated at this point, not scheduled.
- All of my test clients experience the same behavior, not receiving the advertisement.
- Package and advertisement are enabled.
- Advertisement is not mandatory.
- Status message for the clients is not updated, client never receives notice of new policy.
For testing, I can manually kick off the AD discovery methods, update the collection, and initiate the machine/user policy update on the client. I can always get the client to recognize a new advertisement within 10 minutes. With a collection using an AD group of users or when adding the computer object as a direct-member, I have no problem. If the collection uses an AD group of computer objects, then it doesn't work. -
Monday, October 12, 2009 1:29 PMTorsten,
Thank you for the query! That did work as expected, it populated the collection with individual computer names based on the computers being a member of the AD group specified in the query. Client successfully received advertisement.
This should work fine for me as a workaround, thank you very much. I have one related question that maybe you can tell me if it's a bad idea or another way we could go. In an ideal world, I really don't want to create AD groups that consist of computer objects. In our environment, it's a pain to maintain. What we tried doing with a query was to create a collection of computer objects based on "USER group membership". This kind of worked, it pulled 80% of our Human Resource computers for example. But at 80%, it's kind of flaky, so maybe this is too unreliable? Here is the query we used:
select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client, SMS_R_System.LastLogonUserName from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.UserName in (select UniqueUserName from SMS_R_User where UserGroupName like '%CS-HUMAN RESOURCE%')
What are your thoughts with this direction? Please note, I hardly know queries and this was pulled together through various resources to get this close.
Thanks again. -
Monday, October 12, 2009 2:35 PMThe problem with user to machine collections, ie using the userid to create a collection of computers is that the data isn't updated at the same time and you get the 80% error as you described.
Update cyclesSMS_G_SYSTEM.UserName – Hardware Inventory
SMS_R_System.LastLogonUserName – Heartbeat Discovery
http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com- Proposed As Answer by Jerry Rice Thursday, June 09, 2011 11:13 PM
- Unproposed As Answer by Jerry Rice Thursday, June 09, 2011 11:13 PM
-
Monday, October 12, 2009 3:40 PMThat explains it, thank you!
-
Friday, April 30, 2010 3:55 PM
Guys I'm having trouble with this query, all I need is to be able to bring back the contents of the AD computer group called Staking to a collection.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "UNIONDOM\\staking"
I get nothing in the new collection.
-
Saturday, May 01, 2010 9:28 AMModeratorBring up the properties of a client that should be member of the collection. Does it display the AD group information?
-
Monday, May 03, 2010 12:21 PM
Bring up the properties of a client that should be member of the collection. Does it display the AD group information?
I see the correct information in System OU [2]when looking at the properties but I cant get it to pull the systems into the group.
.png){kind=spacer}
