Have you tried this? [cid:[email protected]]
From: [email protected] [mailto:[email protected]] On Behalf Of Sherry Kissinger Sent: Thursday, February 1, 2018 2:33 PM To: [email protected] Subject: Re: Re[2]: [mssms] RE: Collection based on AD sec group (no recursive) If I understand the question, you want users in the usergroup SG1 to be in a collection. however, the usergroup SG2, in Active directory, is nested into SG1 That means that the users in SG2 ARE a member of the usergroup SG1. Just because you the human think of it as distinctly different isn't the same thing. :) My suggestion... You're going to have arrange to have another group (let's call it SG3). That group will contain only the users you explicitly expect to be there--and not nest any other groups inside it. Then I would use this as a collection query: Select SMS_R_Usergroup.resourceid from SMS_R_UserGroup where SMS_R_UserGroup.Name = "YourDomain\\SG3" That will result in there being one and only 1 entry in that collection--the usergroup itself (of course, this is after a Discovery cycle to discover this just-created new usergroup, so it's there) What that means is anyone in SG3 will deserve whatever deployment is targeted to that collection with that 1 value. One caveat people forget about sometimes... Let's say I logged in yesterday. and today at 8am my ID was added to SG3. No matter how many user policy refreshes I try, I don't get the new software listed. That's because the AD Token for that group isn't there yet in that logged in session. I haven't re-authenticated. I either have to lock/unlock my session (Ctrl+alt+del, lock and unlock), or logoff/logon, or reboot of course completely. On Thu, Feb 1, 2018 at 9:57 AM, Eswar Koneti <[email protected]<mailto:[email protected]>> wrote: Have tried direct membership rule but that also list all users from both SG1 AND SG2 which is not desired results. It works same as query based. Did anyone tried this scenario? -- Regards, Eswar Koneti Microsoft MVP (Enterprise Mobility) www.eskonr.com<http://www.eskonr.com> Sent from mobile device, please excuse any typo's as a result. Thursday, 01 February 2018, 08:45am +08:00 from Eswar Koneti [email protected]<mailto:[email protected]>: Haven't tried direct membership but I will try it now if that makes any difference. -- Regards, Eswar Koneti Microsoft MVP (Enterprise Mobility) www.eskonr.com<http://www.eskonr.com> Sent from mobile device, please excuse any typo's as a result. Thursday, 01 February 2018, 03:28am +08:00 from John Marcum [email protected]<mailto:[email protected]>: Have you tried just putting the group itself as a direct membership rule rather than querying the group for its members? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Eswar Koneti Sent: Wednesday, January 31, 2018 10:42 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Collection based on AD sec group (no recursive) Hi All, Am trying to create collection (user ) based on AD sec group (SG1) .This AD sec group has 20 users along with another AD sec group (SG2) .SG2 is member of SG1 as well with 100+ users in it (of this 100+ users ,some of the users are in SG1 as well). When I create collection with SG1 ,it pull users from SG1 and SG2 (recursive) . I have tried creating collection for SG2 and exclude in SG1 collection but that doesn’t work. Is there way to create collection to get users only from SG1 but exclude /don’t look at SG2 ? Regards, Eswar Koneti -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blog: http://mnscug.org/blogs/sherry-kissinger
