Admittedly, I’m not sure this idea is going to work, especially since you have members in both groups in some cases. Use it at your own risk. Please test it in a test environment or on a “cold” collection with no deployments assigned to it first as I don’t have an environment readily available to test this where I’m at right now.
The only thing that comes to mind for myself is to maybe look at 2 separate collections. Collection 1 contains every user in the parent group and it’s child group based on whatever query you are using. Collection 2 is then created with collection 1 set on the collection limiting field. This is critical so that the query below doesn’t pull in every resource not meeting the requirements from outside of collection 1’s scope. The query below can then be used to populate collection 2 with the members of collection 1 based on the not equal to (!=) operator below and the collection limiting set earlier. Make sure to change the tail end of the query to the correct values for the sub collection that you don’t want. Note that in the query all I changed is “=“ to “!=“ which changes the operator to not equal to. select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName != "<Domain>\\<AD Group>" Again, to be clear, TEST and then TEST again on cold collections as I haven’t tried this or tested it. There’s probably a way to do this differently in one query, like maybe with an AND clause, but I can’t be more informational as all I have right now is mobile. Also, if this does work, make sure the automatic collection evaluation is set appropriately to your needs. Hope this works or is at least a start that gets you somewhere. -Matt (Query credit goes to the internet as I cannot pull it from my notes at the immediate moment.) _____________________________ From: Eswar Koneti <eswarkon...@outlook.com> Sent: Thursday, February 1, 2018 10:23 AM Subject: Re[2]: [mssms] RE: Collection based on AD sec group (no recursive) To: mssms <mssms@lists.myitforum.com> Have tried direct membership rule but that also list all users from both SG1 AND SG2 which is not desired results. It works same as query based. Did anyone tried this scenario? -- Regards, Eswar Koneti Microsoft MVP (Enterprise Mobility) www.eskonr.com Sent from mobile device, please excuse any typo's as a result. Thursday, 01 February 2018, 08:45am +08:00 from Eswar Koneti eswarkon...@outlook.com<mailto:eswarkon...@outlook.com>: Haven't tried direct membership but I will try it now if that makes any difference. -- Regards, Eswar Koneti Microsoft MVP (Enterprise Mobility) www.eskonr.com<http://www.eskonr.com> Sent from mobile device, please excuse any typo's as a result. Thursday, 01 February 2018, 03:28am +08:00 from John Marcum p...@ctglobalservices.com<mailto:p...@ctglobalservices.com>: Have you tried just putting the group itself as a direct membership rule rather than querying the group for its members? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com]On Behalf Of Eswar Koneti Sent: Wednesday, January 31, 2018 10:42 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Collection based on AD sec group (no recursive) Hi All, Am trying to create collection (user ) based on AD sec group (SG1) .This AD sec group has 20 users along with another AD sec group (SG2) .SG2 is member of SG1 as well with 100+ users in it (of this 100+ users ,some of the users are in SG1 as well). When I create collection with SG1 ,it pull users from SG1 and SG2 (recursive) . I have tried creating collection for SG2 and exclude in SG1 collection but that doesn’t work. Is there way to create collection to get users only from SG1 but exclude /don’t look at SG2 ? Regards, Eswar Koneti