Linking security groups to SCCM deployments will give your environment flexibility with application installations. This guide covers creating groups and collections and describes a sample deployment. I also added a PowerShell script that helps create AD group-based SCCM collections.

SCCM is a beast. It is a software deploying, application packing, OS installing, and cappuccino making machine (currently in testing, expected in System Center 2015). This complexity can make it difficult to use, especially when you just want to deploy an application.

By linking applications to security groups, you can move software deployment tasks to Active Directory. This will save time as you do not have to jump between MMCs as often, and you can easily delegate app management. To save time, we are going to assume that you have already imported an MSI into SCCM. If you haven’t yet created an application in SCCM, start with this article and then come back.

Getting SCCM to see Active Directory ^

Configuration Manager relies on a variety of discovery methods to detect security groups and their members. Launch the Configuration Manager console and navigate to Administration/Hierarchy Configuration/Discovery Methods.

Be sure that Active Directory Group Discovery and Active Directory System Discovery are enabled. Open the properties for each discovery method and ensure that “Enable delta discovery” is checked. Delta discovery will ensure that new/updated resources are updated within SCCM.

Enabling delta discovery for Active Directory groups

Enabling delta discovery for Active Directory groups

With both of these settings configured, SCCM will be able to see our Active Directory resources. The next step is to create a group and a collection.

Linking a security group to a collection ^

In Active Directory Users and Computers, create a new security group. For easy reference, I like to prefix any application deployment group with APP_ . Copy this group name, as you will be pasting it quite a bit in the upcoming steps.

Head back to the Configuration Manager console and navigate to Assets and Compliance/Device Collections. Create a new device collection. For standardization, name your new collection the same as your security group. Specify a limiting collection. In the screenshot below, my APP_Adobe Flash Player collection is limited to All Desktop and Server Clients:

Create Device Collection Wizard

Create Device Collection Wizard

On the Membership Rules page, select Add Rule – Query Rule. Name your rule by pasting your saved group name. Because you likely won’t have multiple query rules, you don’t need to get very specific with the name.

Under Edit Query Statement, select Criteria and Add (star button), and then press Select. Specify System Resource as the attribute class and System Group Name as the attribute.

Selecting our query attributes

Selecting our query attributes

We can now specify the security group that will define our query. For value, specify your group name as: DOMAIN\GROUP Name. Below is an example:

Certainly a few more steps than scoping in Group Policy!

Certainly a few more steps than scoping in Group Policy!

Click OK until you are back at the Device Collection Wizard. If you want this collection to update quickly, enable incremental updates. If you do not wish to enable incremental updates, adjust the full update schedule to fit your environment.

Now that you are finished with the wizard, we have just one final step. We need to link our collection to our application. Right-click your collection and select Deploy – Application. Specify your application deployment settings in the wizard.

Deploying a preexisting application to our AD linked collection

Deploying a preexisting application to our AD linked collection

Creating an AD group-based collection with PowerShell ^

The steps above can be quite repetitive if you need to create many AD-based collections. By using PowerShell, we can automate these tasks. The script below has served our organization well; I hope it helps you.

A portion of this script relies on the Quest AD cmdlets. This script is designed to be run from the Configuration Manager Server. Before running it for the first time, select Connect via Windows PowerShell in the Configuration Manager console.

This menu can be found in the top left of the console

This menu can be found in the top left of the console.

 

The script will prompt you for any information needed. It does have a few hardcoded values in it. To replace these, search for Test.local and specify your domain name. If you have any questions about using Active Directory with SCCM (or about using this script below), just leave a comment!

Add-PSSnapin Quest.ActiveRoles.ADManagement

#Set Collection Type
$CollectionType = Read-Host "Is this a computer or user collection?"

if ($CollectionType -eq "Computer")
{$CollectionType = "2"}

if ($CollectionType -eq "User")
{$CollectionType = "1"}

#Build Collection Name and Description
$CollectionName = Read-Host "What is the name of the Application group? EX: APP_Adobe Flash Player"
$Description = $CollectionName

#Configuration Block for SCCM 
$Sitename = "GC1"
$Domain = "Test.local"
$GroupOU = "OU=Software Distribution,DC=Test,DC=LOCAL"

$Namespace = "Root\SMS\Site_" + $Sitename

#Create Collection Block
Function Create-Collection($CollectionName)
{
    $CollectionArgs = @{
        Name = $CollectionName;
        CollectionType = "1";         # User Collection Type
        LimitToCollectionID = "SMS00002" # All Users Collection
    }
    Set-WmiInstance -Class SMS_Collection -Arguments $CollectionArgs -Namespace $Namespace | Out-Null
}

#Update Query Block
Function Update-Query($CollectionName) {

$QueryExperssion = 'select *  from  SMS_R_User where SMS_R_User.UserGroupName = "' + $Domain + '\\' + $CollectionName + '"'
$Collection = Get-WmiObject -Namespace $Namespace -Class SMS_Collection -Filter "Name='$CollectionName' and CollectionType = '$CollectionType'"

#Validate Query syntax  
$ValidateQuery = Invoke-WmiMethod -Namespace $Namespace -Class SMS_CollectionRuleQuery -Name ValidateQuery -ArgumentList $QueryExperssion

If($ValidateQuery){
    $Collection.Get()

    #Create new rule
    $NewRule = ([WMIClass]"\\Localhost\$Namespace`:SMS_CollectionRuleQuery").CreateInstance()
    $NewRule.QueryExpression = $QueryExperssion
    $NewRule.RuleName = $CollectionName

    #Commit changes and initiate the collection evaluator                   
    $Collection.CollectionRules += $NewRule.psobject.baseobject
    $Collection.RefreshType = 6 # Enables Incremental updates
    $Collection.Put()
    $Collection.RequestRefresh()
    }
}

#The WorkHorse 

Create-Collection $CollectionName
Update-Query $CollectionName
New-QADGroup -Name $CollectionName -ParentContainer $GroupOU -groupScope Global -Description $Description
+2
30 Comments
  1. Rob 3 years ago

    Can you describe the variables involved in the time it takes for a system to be added to an AD Security Group setup in this way to actually receive an application on the client?  Here's my understanding, but would appreciate confirmation.

    1. Computer object is added to AD Security Group
    2. SCCM AD Group Discovery "Delta Discovery" runs (Default, 5 min)
    3. Collection gets updated:
      1. Can be set to Incremental defined as "periodically" (what's the actual interval?)
      2. Can be set to Scheduled (default is 7 days, but easily customizable)
    4. Client must run Application Deployment Evaluation Cycle (Default, 7 days)

    If I'm correct here, it could potentially take up to 2 weeks for an environment left in the Default configuration.  Thanks!

     

    +1

    • Author

      Your understanding is pretty close.  Here is the revised order:

      1. Computer object is added to AD Security Group
      2. SCCM AD Group Discovery "Delta Discovery" runs (Default, 5 min)
      3. Collection gets updated:
        1. Can be set to Incremental defined as "periodically" - takes about a minute. Recommended for these deployment types.
        2. Can be set to Scheduled (default is 7 days, but easily customizable)
      4. Client must run a Machine Policy Refresh (SCCM's version of a GPUpdate). Occurs every hour by default.

      When I image computers, I set a custom client settings to change the Machine Policy Refresh down to 5 minutes. This speeds up software installation times.

      +1

  2. Chris M 2 years ago

    Great article and concept!

    What are some troubleshooting steps for group memberships not being discovered with the delta discovery? Full discovery updates them just fine,  so I have it set running 4 hours for now. These are systems already in SCCM, recently added to a purpose-driven AD group.

    adsgdis.log doesn't show any clear indication of an issue during delta. 

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account