Linking security groups to SCCM deployments will give your environment flexibility with application installations. This guide covers creating groups and collections and describes a sample deployment. I also added a PowerShell script that helps create AD group-based SCCM collections.

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at

SCCM is a beast. It is a software deploying, application packing, OS installing, and cappuccino making machine (currently in testing, expected in System Center 2015). This complexity can make it difficult to use, especially when you just want to deploy an application.

By linking applications to security groups, you can move software deployment tasks to Active Directory. This will save time as you do not have to jump between MMCs as often, and you can easily delegate app management. To save time, we are going to assume that you have already imported an MSI into SCCM. If you haven’t yet created an application in SCCM, start with this article and then come back.

Getting SCCM to see Active Directory ^

Configuration Manager relies on a variety of discovery methods to detect security groups and their members. Launch the Configuration Manager console and navigate to Administration/Hierarchy Configuration/Discovery Methods.

Be sure that Active Directory Group Discovery and Active Directory System Discovery are enabled. Open the properties for each discovery method and ensure that “Enable delta discovery” is checked. Delta discovery will ensure that new/updated resources are updated within SCCM.

Enabling delta discovery for Active Directory groups

Enabling delta discovery for Active Directory groups

With both of these settings configured, SCCM will be able to see our Active Directory resources. The next step is to create a group and a collection.

Linking a security group to a collection ^

In Active Directory Users and Computers, create a new security group. For easy reference, I like to prefix any application deployment group with APP_ . Copy this group name, as you will be pasting it quite a bit in the upcoming steps.

Head back to the Configuration Manager console and navigate to Assets and Compliance/Device Collections. Create a new device collection. For standardization, name your new collection the same as your security group. Specify a limiting collection. In the screenshot below, my APP_Adobe Flash Player collection is limited to All Desktop and Server Clients:

Create Device Collection Wizard

Create Device Collection Wizard

On the Membership Rules page, select Add Rule – Query Rule. Name your rule by pasting your saved group name. Because you likely won’t have multiple query rules, you don’t need to get very specific with the name.

Under Edit Query Statement, select Criteria and Add (star button), and then press Select. Specify System Resource as the attribute class and System Group Name as the attribute.

Selecting our query attributes

Selecting our query attributes

We can now specify the security group that will define our query. For value, specify your group name as: DOMAIN\GROUP Name. Below is an example:

Certainly a few more steps than scoping in Group Policy!

Certainly a few more steps than scoping in Group Policy!

Click OK until you are back at the Device Collection Wizard. If you want this collection to update quickly, enable incremental updates. If you do not wish to enable incremental updates, adjust the full update schedule to fit your environment.

Now that you are finished with the wizard, we have just one final step. We need to link our collection to our application. Right-click your collection and select Deploy – Application. Specify your application deployment settings in the wizard.

Deploying a preexisting application to our AD linked collection

Deploying a preexisting application to our AD linked collection

Creating an AD group-based collection with PowerShell ^

The steps above can be quite repetitive if you need to create many AD-based collections. By using PowerShell, we can automate these tasks. The script below has served our organization well; I hope it helps you.

A portion of this script relies on the Quest AD cmdlets. This script is designed to be run from the Configuration Manager Server. Before running it for the first time, select Connect via Windows PowerShell in the Configuration Manager console.

This menu can be found in the top left of the console

This menu can be found in the top left of the console.


The script will prompt you for any information needed. It does have a few hardcoded values in it. To replace these, search for Test.local and specify your domain name. If you have any questions about using Active Directory with SCCM (or about using this script below), just leave a comment!

Win the monthly 4sysops member prize for IT pros


Related Posts

  1. David 3 years ago

    Shouldn't it be "Security Group Name" and not "System Group Name"?


  2. Author
    Joseph Moody 3 years ago

    Hi David - System Group name will return computers that are a member of a group in SCCM.


  3. smoluh 2 years ago

    What kind of security group should it be 'local' 'global', or 'universal'?
    Also, if my domain is should I use "lab\" ?

    Thanks in advance


  4. Author
    Joseph Moody 2 years ago

    Global is fine and you can use your full domain name.


  5. timmeh 2 years ago

    If I was to add another group as a member of the app deployment group, and that new group was from a child forest within AD. Would members of that group receive advertisements for the deployment?


  6. Author
    Joseph Moody 2 years ago

    I would imagine so but I don't have an environment to test this. After you add the group, run a full AD discovery in SCCM and then update the collection membership. If you don't mind, post back a confirmation for your question.


  7. scott s 2 years ago

    Thanks this is very helpful I just have 1 site, so I need to specify a DP for each Device collection? It seemingly did not deploy anything till I did that..


  8. scott s 2 years ago

    One More quick question for software that get deployed per user (like one drive) I have set up a user collection how do I limit the installation to only workstations and not servers when I login??



  9. Author
    Joseph Moody 2 years ago

    Hey Scott - change the LimitToCollectionID = "SMS00002" to the ID that you want to limit your collection to.


  10. Marion 2 years ago

    We add machine to AD group, then it sync and add that machine to SCCM collection.
    but when we remove machines from AD group, it didn't sync and the machines still appear in SCCM collection.We want the machines removed from SCCM collection once we remove it from AD group. Please advise on this.


  11. Author
    Joseph Moody 2 years ago

    This tool is not really designed to do that. You can emulate this by adding in a remove statement at the beginning of the script that empties the collection and adds back any existing computers in the group to the collection.


  12. Marion 2 years ago

    Hey Joseph,

    Oh Ok.. Is that possible if you could provide me some SQL Qeury to clear some machine from collection after it's removed from AD Group


  13. Author
    Joseph Moody 2 years ago

    You can use this:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "DOMAIN\\GROUPNAME"

    Note the two backslashes in the DOMAIN\\GROUPNAME section. Set the collection to use incremental updates.


  14. Chris 2 years ago

    For some reason I follow exactly what you are saying and nothing populates in the SCCM collection.  Almost like its not seeing the security in AD.  Is there something I can look at?


  15. Author
    Joseph Moody 2 years ago

    Make sure that the security group is seen by SCCM. Go into the SCCM console\Users and search for your group. If it is not there, check your discovery methods.


  16. Chris Gibson 2 years ago

    It was my discovery methods, thank you so much!


  17. dhaval 2 years ago

    I have linked ad group with collection by query.

    How can I monitor the members ofcollections after add users into ad group.


  18. Author
    Joseph Moody 2 years ago

    Are you wanting a powershell way to do this?


  19. dhaval 2 years ago

    I was not able to see any machine names under device collection after add users into ad security group.


    But resolved now after add ad group location into ad group discovery property.


  20. User 1 year ago


    How can I exclude Windows servers from my collection using the above power shell script. Could anyone provide me the class for excluding computers.




  21. Author
    Joseph Moody 1 year ago

    In SCCM, create a new collection named All Servers. Paste in this query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Name like "%Server%"


    Then in your first collection, add a new exclude collection membership rule that points to your All Servers collection.


  22. Kel 2 months ago

    Whats the limit to how many collections can be querying AD?


    • Author
      Joseph Moody 1 month ago

      I don't know of a hard limit. I've seen organizations with around several hundred incremental groups. Keep a performance baseline of your DCs and SCCM infrastructure and check to make sure nothing is suffering resource strain.


Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017

Log in with your credentials


Forgot your details?

Create Account