You’re going to find out…a little extra work is required to link AD groups to SCCM packages (why, Microsoft? Just, why?). Assuming you have set up the Group Discovery properly, all you need to do now is to create two collections with queries. One collection will be in User Collections; the other in Device Collections.
#1 Under User Collections, create a collection with a query rule, with the below query. This returns the members of the specified AD group.
select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType, SMS_R_USER.Name,SMS_R_USER.UniqueUserName, SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = “YourDomain\\The_AD_Group_Skype“
Once created, make sure to note the Collection ID of the collection you just created. Let’s say it’s ABC00A1 in our example.
#2 Now, under Device Collections, create another collection as the name of the App. For example, Skype. Add a query rule with the following code….don’t forget the Collection ID from above.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System join SMS_G_SYSTEM_COMPUTER_SYSTEM on SMS_G_SYSTEM_COMPUTER_SYSTEM.ResourceID = SMS_R_SYSTEM.ResourceID join SMS_G_system_SYSTEM_CONSOLE_USAGE on SMS_G_SYSTEM_COMPUTER_SYSTEM.ResourceID = SMS_G_system_SYSTEM_CONSOLE_USAGE.ResourceID join SMS_R_User on SMS_G_system_SYSTEM_CONSOLE_USAGE.TopConsoleUser = SMS_R_User.UniqueUserName join SMS_FullCollectionMembership on SMS_FullCollectionMembership.Name = SMS_R_User.Name where SMS_FullCollectionMembership.collectionID = ‘ABC00A1‘
Now, just deploy the app as you normally would, selecting the device collection you created under Device Collections. Done!
Of course, there is a caveat…this method isn’t perfect. For some reason, even if a computer is a user’s primary device, it may not always be seen as TopConsoleUser. This has to be a bug on the Microsoft end, or at the very least, a design flaw. If a user only has one computer, the success rate is high. I will research further. So, stay tuned.
Update
After a little more research and testing…I now have a full list of user devices.
To return a single user’s actual primary devices:
select SMS_R_System.name, SMS_R_User.UniqueUserName
from SMS_R_System inner join SMS_UserMachineRelationship on SMS_UserMachineRelationship.ResourceId = SMS_R_System.ResourceId
join SMS_R_User on SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName where SMS_UserMachineRelationship.Types = 1 and SMS_R_User.UniqueUserName like ‘%YourDomain\\TheUserName%’
Now, if you want to add this to SCCM (so it will work for multiple users), copy the query as a second query into the Skype device collection you originally created (So, you will have Query1 and Query2 on the device collection):
select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_UserMachineRelationship on SMS_UserMachineRelationship.ResourceId = SMS_R_System.ResourceId join SMS_R_User on SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName join SMS_FullCollectionMembership on SMS_FullCollectionMembership.Name = SMS_R_User.Name where SMS_UserMachineRelationship.Types = 1 and SMS_FullCollectionMembership.collectionID = ‘ABC00A1‘
The reason you’re doing this…is to expand the available devices, but you’re still using the User Collection ID as a filter for the AD Group usernames.
Now, when you run the Device Collection query right from the device collection, you’ll now have all the computers associated with the specified AD group. You’re ready to deploy apps.
Notes
Select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client FROM SMS_R_System JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName=SMS_R_User.UniqueUserName WHERE SMS_UserMachineRelationship.Types=1 AND SMS_R_User.UserGroupName=”Domain\\AD_Group”
### Linking an AD security group to a SCCM collection
Add-PSSnapin Quest.ActiveRoles.ADManagement
#Set Collection Type
$CollectionType = Read-Host “Is this a computer or user collection?”
if ($CollectionType -eq “Computer”)
{$CollectionType = “2”}
if ($CollectionType -eq “User”)
{$CollectionType = “1”}
#Build Collection Name and Description
$CollectionName = Read-Host “What is the name of the Application group? EX: APP_Adobe Flash Player”
$Description = $CollectionName
#Configuration Block for SCCM
$Sitename = “GC1”
$Domain = “Test.local”
$GroupOU = “OU=Software Distribution,DC=Test,DC=LOCAL”
$Namespace = “Root\SMS\Site_” + $Sitename
#Create Collection Block
Function Create-Collection($CollectionName)
{
$CollectionArgs = @{
Name = $CollectionName;
CollectionType = “1”; # User Collection Type
LimitToCollectionID = “SMS00002” # All Users Collection
}
Set-WmiInstance -Class SMS_Collection -Arguments $CollectionArgs -Namespace $Namespace | Out-Null
}
#Update Query Block
Function Update-Query($CollectionName) {
$QueryExperssion = ‘select * from SMS_R_User where SMS_R_User.UserGroupName = “‘ + $Domain + ‘\\’ + $CollectionName + ‘”‘
$Collection = Get-WmiObject -Namespace $Namespace -Class SMS_Collection -Filter “Name=’$CollectionName’ and CollectionType = ‘$CollectionType'”
#Validate Query syntax
$ValidateQuery = Invoke-WmiMethod -Namespace $Namespace -Class SMS_CollectionRuleQuery -Name ValidateQuery -ArgumentList $QueryExperssion
If($ValidateQuery){
$Collection.Get()
#Create new rule
$NewRule = ([WMIClass]”\\Localhost\$Namespace`:SMS_CollectionRuleQuery”).CreateInstance()
$NewRule.QueryExpression = $QueryExperssion
$NewRule.RuleName = $CollectionName
#Commit changes and initiate the collection evaluator
$Collection.CollectionRules += $NewRule.psobject.baseobject
$Collection.RefreshType = 6 # Enables Incremental updates
$Collection.Put()
$Collection.RequestRefresh()
}
}
#The WorkHorse
Create-Collection $CollectionName
Update-Query $CollectionName
New-QADGroup -Name $CollectionName -ParentContainer $GroupOU -groupScope Global -Description $Description