locked
What is required to limit a collection by AD group membership? RRS feed

  • Question

  • I've seen several posts which suggest using a query like:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "Domain\\ADSecurityGroup1"

    However, I get no results at all, even if I set the domain and group to "%\\%" or "%". If I run wbemtest and select * from SMS_R_SYSTEM, I get all systems. When I drill into SystemGroupName or SecurityGroupName, they show as CIM_STRING arrays, Not NULL is checked, but with no values listed.

    So I'm guessing that the group information has to make it into SCCM for the query to work and it is not. What is required to get the group membership for computers into SCCM?


    Thursday, October 8, 2015 5:59 PM

Answers

  • The mistake I was making was the scope in the AD group discovery. I didn't put anything in there; I assumed it would just grab all groups in the directory. The fact that you have to specify groups is something I didn't understand until now.
    Thursday, October 8, 2015 6:40 PM

All replies

  • CM console, Administration, Hierarchy Configuration, Discovery Methods.

    Active Directory Group discovery, Add a rule pointing to a Group you want to discover the members of. 

    You may want to review the options on the "Options" tab there, to see if you want to customize anything there. Also the "Polling Schedule".  Every environment is different on what the "right" answer is for Full Discovery.  You might need to adjust those schedules depending upon your needs and observed results.


    Standardize. Simplify. Automate.

    Thursday, October 8, 2015 6:18 PM
  • The mistake I was making was the scope in the AD group discovery. I didn't put anything in there; I assumed it would just grab all groups in the directory. The fact that you have to specify groups is something I didn't understand until now.
    Thursday, October 8, 2015 6:40 PM