Advertising SCCM programs to users in another domain


  • I used to have SCCM set up so I could advertise programs to users based on what AD security groups they belonged to.  I had a collection set up with a query that would mirror the membership of the AD security group.  Then I would advertise the program to that collection.  Then all I had to worry about was altering membership of the AD group and I would know that the program would be advertised to those users (after AD discovery ran).

    Recently the decision was made to have users log on to another domain.  There is a two-way trust set up between the domain where SCCM is and the domain where the user accounts are.  I added the users from the second domain to the AD group which is still in the first domain (with SCCM).  The advertisement is no longer working.  Is there a way to make this work?

    As an extra detail, I originally had my query set up to query users and query what groups those users belonged to.  That's how I would add them to the collection.  That no longer works.  I had to alter the query to just query the AD group name.  I no longer see the list of users in the collection.  I only see the name of the AD security group.  I thought maybe that would allow it to work but it doesn't.

    Hope this is all clear.  -Shane

    Wednesday, March 07, 2012 5:41 PM


All replies

  • I take it that the second domain is in a remote forest? I've never done this before but it seems logical to me that you'd have to discover those users from the remote domain first. Are you doing that? What domain are the computers in? I've always felt strongly against deploying software (unless it's app-v) to users with SCCM.

    John Marcum ||

    Wednesday, March 07, 2012 5:59 PM
  • You need to create and discover the group from the other domain and specify the remote group in you WQL for the collection then it will work.

    Kent Agerlund | My blogs: and | Twitter: @Agerlund | Linkedin: Kent Agerlund

    • Marked as answer by Shane_Curtis Wednesday, March 07, 2012 7:34 PM
    Wednesday, March 07, 2012 6:48 PM
  • I've discovered the users.  The computers are in the same domain as the SCCM server (first domain).  The second domain is in a remote forest.
    Wednesday, March 07, 2012 6:49 PM
  • Hmm, that's kind of what I thought.  We just don't have control over that domain so it makes it more problematic.  okay, thanks! 

    Wednesday, March 07, 2012 7:34 PM