If I understand the question, you want users in the usergroup SG1 to be in a collection. however, the usergroup SG2, in Active directory, is nested into SG1
That means that the users in SG2 ARE a member of the usergroup SG1. Just because you the human think of it as distinctly different isn't the same thing. :) My suggestion... You're going to have arrange to have another group (let's call it SG3). That group will contain only the users you explicitly expect to be there--and not nest any other groups inside it. Then I would use this as a collection query: Select SMS_R_Usergroup.resourceid from SMS_R_UserGroup where SMS_R_UserGroup.Name = "YourDomain\\SG3" That will result in there being one and only 1 entry in that collection--the usergroup itself (of course, this is after a Discovery cycle to discover this just-created new usergroup, so it's there) What that means is anyone in SG3 will deserve whatever deployment is targeted to that collection with that 1 value. One caveat people forget about sometimes... Let's say I logged in yesterday. and today at 8am my ID was added to SG3. No matter how many user policy refreshes I try, I don't get the new software listed. That's because the AD Token for that group isn't there yet in that logged in session. I haven't re-authenticated. I either have to lock/unlock my session (Ctrl+alt+del, lock and unlock), or logoff/logon, or reboot of course completely. On Thu, Feb 1, 2018 at 9:57 AM, Eswar Koneti <[email protected]> wrote: > Have tried direct membership rule but that also list all users from both > SG1 AND SG2 which is not desired results. It works same as query based. > > Did anyone tried this scenario? > > -- > Regards, > Eswar Koneti > Microsoft MVP (Enterprise Mobility) > www.eskonr.com > Sent from mobile device, please excuse any typo's as a result. > Thursday, 01 February 2018, 08:45am +08:00 from Eswar Koneti > [email protected]: > > > Haven't tried direct membership but I will try it now if that makes any > difference. > > -- > Regards, > Eswar Koneti > Microsoft MVP (Enterprise Mobility) > www.eskonr.com > Sent from mobile device, please excuse any typo's as a result. > Thursday, 01 February 2018, 03:28am +08:00 from John Marcum > [email protected]: > > Have you tried just putting the group itself as a direct membership rule > rather than querying the group for its members? > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Eswar Koneti > *Sent:* Wednesday, January 31, 2018 10:42 AM > *To:* [email protected] > *Subject:* [mssms] Collection based on AD sec group (no recursive) > > > > Hi All, > > Am trying to create collection (user ) based on AD sec group (SG1) .This > AD sec group has 20 users along with another AD sec group (SG2) .SG2 is > member of SG1 as well with 100+ users in it (of this 100+ users ,some of > the users are in SG1 as well). > > When I create collection with SG1 ,it pull users from SG1 and SG2 > (recursive) . I have tried creating collection for SG2 and exclude in SG1 > collection but that doesn’t work. > > > > Is there way to create collection to get users only from SG1 but exclude > /don’t look at SG2 ? > > > > Regards, > Eswar Koneti > > > > > > > -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blog: http://mnscug.org/blogs/sherry-kissinger
