locked
Query statement not updating collection memberships RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I am creating PowerShell to create CM User Collections and CM Device Collections. 

    The query will add members based off an AD Group. That part works OK

    I have a schedule set to run a full refresh and that runs but that the query doesn't seem to get new information from the AD groups even if new members are added. 

    Monday, June 1, 2015 5:42 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    In that case, verify the properties of the user. The Security Group Name property should contain the name of the AD group. When that property is set, and the user is available in the limiting collection, your query should succeed.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Joyce L Tuesday, June 2, 2015 7:15 AM
    • Marked as answer by Joyce L Wednesday, June 17, 2015 9:23 AM
    Monday, June 1, 2015 5:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Again, the membership will only be adjusted if the new AD group membership is found by the Active Directory Group Discovery. To verify this, please verify the properties of the user in ConfigMgr. Another important part is that the user must exist in the limiting collection.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Joyce L Tuesday, June 16, 2015 8:42 AM
    • Marked as answer by Joyce L Wednesday, June 17, 2015 9:23 AM
    Monday, June 1, 2015 6:21 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Even if I manually run the query, the results that get returned are the old results, if I add new members to AD, the query doesn't go find new members. 

    I am not sure how to troubleshoot this. 

    Monday, June 1, 2015 5:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    After adding the user to the AD group, did you run a Active Directory Group Discovery to get the new membership information in ConfigMgr?

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Monday, June 1, 2015 5:46 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yeah, to Peter's point, the query will only pull from the SCCM database.  if the Discovery process has not run again before the query, no new membership will be created.  So in order:

    1. User must be added to AD group

    2. Discovery must run to pull the relationship info into the SCCM Database

    3. Collection Query runs and pull user into collection.

    Monday, June 1, 2015 5:52 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I haven't done it manually but I have a schedule set to run every 10 minutes on schedule. 

    Delta Discovery is also enabled to run every 5 minutes. 

    Monday, June 1, 2015 5:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    In that case, verify the properties of the user. The Security Group Name property should contain the name of the AD group. When that property is set, and the user is available in the limiting collection, your query should succeed.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Joyce L Tuesday, June 2, 2015 7:15 AM
    • Marked as answer by Joyce L Wednesday, June 17, 2015 9:23 AM
    Monday, June 1, 2015 5:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    In my query that the Security Group Name does have the group name and if I check the group and user ADUC I can see the users or systems in there.

    My statement for that looks like the below for that line  (it is longer just showing that line)

    SMS_R_System where SMS_R_System.SecurityGroupName='domain\\groupname'


    Monday, June 1, 2015 6:02 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I meant Security Group Name property of the user in ConfigMgr. That property should contain the right AD group after the Active Directory Group Discovery.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Monday, June 1, 2015 6:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I am sorry but I am not sure where to check that, this is constantly evolving. I have a script that I am running to build these user / device collections based off of an AD Group which is constantly being created new. Members will also be changing constantly. 

    The initial query gets created and whatever members are there existing get synced OK

    If new members or devices get added to the groups those updates don't happen. 

    Monday, June 1, 2015 6:12 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    You can find that information in the properties of the user (tab General).

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Monday, June 1, 2015 6:15 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    My query looks like this

    select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName='domain\\groupname'

    There is a schedule to run that every 10 minutes

    But the changes do not come down when new members get added.  Same for device collections, the query is different but if a new member gets added, it doesn't update.

    Monday, June 1, 2015 6:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Again, the membership will only be adjusted if the new AD group membership is found by the Active Directory Group Discovery. To verify this, please verify the properties of the user in ConfigMgr. Another important part is that the user must exist in the limiting collection.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Joyce L Tuesday, June 16, 2015 8:42 AM
    • Marked as answer by Joyce L Wednesday, June 17, 2015 9:23 AM
    Monday, June 1, 2015 6:21 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Right so I need to figure out why it's not being found

    There are no users in. My collections are based off of user groups.  When I look at the properties for that collection it is based on All Users and User Groups limiting Collection

    Monday, June 1, 2015 6:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Have you ensured your System Group Discovery is pointing to a location (domain or OU) that contains the Security Group in question?  If so, open the discovery log in cmtrace and force a discovery to see whats happening..
    • Proposed as answer by Joyce L Tuesday, June 16, 2015 8:42 AM
    Tuesday, June 2, 2015 10:04 PM