Is there a way to specify that a collection queries against a specific security group in AD, or can it only query against machines already in it's db put there via discovery methods?
Asked
Active
Viewed 2.5k times
3 Answers
5
You can only create rule based queries based on data that has been collected with the various discovery methods. But among the discovery methods, you have Active Directory Security Group Discovery which will work just fine for your purposes. You just have to turn it on and set it to scan the AD containers that have your groups in them.
Then you can create rule based collections with queries that filter on the System Group Name attribute of the System Resource attribute class. The raw SQL for this type of query is provided in taylord1's answer.
If you're worried about timing and the fact that the default scan schedule is only once a day as well as the collection update schedule, it's really easy to just change the schedule to meet your needs. Just keep in mind that you'll need to update both the Security Group Discovery schedule and the Collection Update schedule. If possible, you should try to time them so the Collection Update schedule happens a few minutes after the Security Group Discovery schedule.
If you're already using Security Group Discovery and are worried about a performance hit from increasing the scan schedule, I'd still suggest trying it out first to see whether it actually causes too much stress on your infrastructure. However, there are other ways of triggering individual machine updates I can describe if you're interested. It involves some programming though.
Ryan Bolger
- 16,755
- 4
- 42
- 64
2
We do this in our environmnet by using the following Query when we create a collection, thus giving us a collection of machines who are in a specific group.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "******Insert SCI\Group Name here******"
So for example with a group named SCI\CMP we would use the following.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "SCI\CMP"
(Obviously, our domain name is SCI - you will need to subsitute your own domain and group name).
0
Queries in SCCM are against the SCCM database which will only contain systems that you've discovered.
MathewC
- 6,957
- 9
- 39
- 53
-
What are you trying to do? Perhaps I can help. – MathewC Jun 11 '09 at 01:43
-
I am attempting to test SCCM deployment against a subset of machines that I have defined in a security group. – user7862 Jun 11 '09 at 01:44
-
You mean deploy the client? OS? Package? – MathewC Jun 11 '09 at 01:52
-
You could discover the OU that contains all the machines, then create a collection with only those machines. – MathewC Jun 11 '09 at 02:49