Monday, June 3, 2013

SCCM 2012 - Creating Device Collections From an Active Directory Organizational Unit

With our device discoveries up and running I wanted to dedicate this segment to creating device collections. This can be useful if you need to isolate specific devices for one reason or another, such as software polices or specific client settings. There are quite  a few different ways to setup Device Collections. I am going to focus on creating a collection based on OU's in Active Directory which in my opinion is one of the best ways to manage device collections long term as long as the device has the client installed on it.

In Assets and Compliance, Click Device Collections. You will see a few that are created automatically by default. Lets go ahead and make a new one. Right Click on Device Collections and Select Create Device Collection.

The Create Device Collection Wizard will open. Go ahead and give this collection a name and a description if you like, then Click Browse

For this example we will use All Desktops and Server Clients. Click OK then Click Next

 On the Membership Rules Click Add Rule then select Query Rule

This will bring up the Query Rule Properties window. Go ahead and give the query a name then Click Edit Query Statement

Go to the Criteria Tab then click on the Yellow Star

Leave the Criterion Type as Simple Value. Click Select

For the Attribute Criteria Select System Resource as the Atribute class and System OU Name for the Attribute. Click OK

Back on the Criterion Properties window Click Value.

You will be presented with all of the available OU's in your Active Directory structure. In the case of this lab we only have Domain Controllers and Servers (manually created). We highlight Servers and Click OK
Note - Only OUs that are populated with active (not disabled) computer objects will show up on this list. Empty OUs will not. 

Click OK

Click OK

Here you will see the fully built query. Click OK

So we have returned to our Membership Rules window. You can define if you want to run incremental scans by checking Use incremental updates for this collection. We are going to just use scheduled scans for this segment so lets go ahead and modify the discovery scan. Click Schedule

Since we have a fairly small amount of servers in our lab we are going to set the interval low. In a live production environment you wouldnt want to set it any lower than about once ever twenty-four hours as it will cause increased network traffic during the scans. We are going to run it every ten minutes. Click OK

Click Summary

You can review the results of the Collection. Click Next

You should get a success notification. Click Close

Back on the Device collection window you will see your newly created collection. It may take a few minutes to query depending on the size of your environment but if you refresh after a few minutes you should see servers being added to the collection. You can validate the collection by Right Clicking on it and selecting Show Members


More to come!


If you like this blog give it a g+1

18 comments:

  1. Excellent article. Clear and to the point. Exactly what I needed.
    Thanks.

    ReplyDelete
  2. It doesn't seem to add the computers to the collection if they are turned off.

    ReplyDelete
    Replies
    1. That's interesting. I had not seen that before. If the machine is active in SCCM and not disabled in AD it should populate in the collection regardless if it is turned on or not. I will have to test that further.

      Delete
  3. Good article. Straight and to the point. Appreciate the quick tutorial.

    ReplyDelete
  4. Exactly what I needed. Saved me time!

    ReplyDelete
  5. How can you group several OU's into a single collection. What would the query look like? Any help would greatly be appreciated.

    ReplyDelete
    Replies
    1. The easiest way to do it would be to have multiple query rules on the Membership rules page. Same query for each, just change the Destination OU.

      Delete
  6. Any way for it to add computers from sub OUs automatically?

    ReplyDelete
    Replies
    1. If the OU is populated it will show up on the list. You can add any OU or Sub-OU as long as there are computer objects in it.

      Delete
  7. Excellent article. Clear and to the point. Exactly what I needed.
    Thanks.
    Saved me time!

    ReplyDelete
  8. Thanks a TON for putting this up!

    ReplyDelete
  9. Hi, great article, but does it keep sccm and AD in sync? If I remove computers from AD OU's, then I manually need to remove them from SCCM collection? Do I need some extra quarys to remove?

    Thanks.

    ReplyDelete
    Replies
    1. Yes, it will automatically update if you move computers around. It may take a few minutes to update the device collection depending on what your query time is.

      Delete
  10. If I want to add only single ou not it's sub OU. Then how can I configure it .

    ReplyDelete
    Replies
    1. Unfortunately due to Active Directory limitations there isn't a way to specify a top level OU. You might be able to script a filter to give you the results you are looking for, although I have never tried it.

      Delete
    2. You could try using System Group Name instead of System OU Name and put the machines into a group together. That may be a workaround for you.

      Delete