This is almost like creating new group SG3 and add all users that am looking 
for from SG1 (excluding SG2) ?
btw, we have got rid of the nested group SG2 for this time from SG1  ☺

Eswar Koneti
Microsoft MVP (Enterprise Mobility)

From: [] On 
Behalf Of Sherry Kissinger
Sent: Friday, February 2, 2018 3:33 AM
Subject: Re: Re[2]: [mssms] RE: Collection based on AD sec group (no recursive)

If I understand the question, you want users in the usergroup SG1 to be in a 
however, the usergroup SG2, in Active directory, is nested into SG1

That means that the users in SG2 ARE a member of the usergroup SG1.  Just 
because you the human think of it as distinctly different isn't the same thing. 

My suggestion... You're going to have arrange to have another group (let's call 
it SG3).  That group will contain only the users you explicitly expect to be 
there--and not nest any other groups inside it.

Then I would use this as a collection query:
Select SMS_R_Usergroup.resourceid
  from SMS_R_UserGroup
  where SMS_R_UserGroup.Name = "YourDomain\\SG3"

That will result in there being one and only 1 entry in that collection--the 
usergroup itself (of course, this is after a Discovery cycle to discover this 
just-created new usergroup, so it's there)

What that means is anyone in SG3 will deserve whatever deployment is targeted 
to that collection with that 1 value.  One caveat people forget about 
sometimes... Let's say I logged in yesterday.  and today at 8am my ID was added 
to SG3.  No matter how many user policy refreshes I try, I don't get the new 
software listed.  That's because the AD Token for that group isn't there yet in 
that logged in session.  I haven't re-authenticated.  I either have to 
lock/unlock my session (Ctrl+alt+del, lock and unlock), or logoff/logon, or 
reboot of course completely.

On Thu, Feb 1, 2018 at 9:57 AM, Eswar Koneti 
<<>> wrote:

Have tried direct membership rule but that also list all users from both SG1 
AND SG2 which is not desired results. It works same as query based.

Did anyone tried this scenario?

Eswar Koneti
Microsoft MVP (Enterprise Mobility)<>
Sent from mobile device, please excuse any typo's as a result.
Thursday, 01 February 2018, 08:45am +08:00 from Eswar Koneti<>:

Haven't tried direct membership  but I will try it now if that makes any 

Eswar Koneti
Microsoft MVP (Enterprise Mobility)<>
Sent from mobile device, please excuse any typo's as a result.
Thursday, 01 February 2018, 03:28am +08:00 from John Marcum<>:

Have you tried just putting the group itself as a direct membership rule rather 
than querying the group for its members?

On Behalf Of Eswar Koneti
Sent: Wednesday, January 31, 2018 10:42 AM
Subject: [mssms] Collection based on AD sec group (no recursive)

Hi All,

Am trying to create collection (user ) based on AD sec group (SG1) .This AD sec 
group has 20 users along with another AD sec group (SG2) .SG2 is member of SG1 
as well with 100+ users in it (of this 100+ users  ,some of the users are in 
SG1 as well).

When I create collection with SG1 ,it pull users from SG1 and SG2 (recursive) . 
I have tried creating collection for SG2 and exclude in SG1 collection but that 
doesn’t work.

Is there way to create collection to get users only from SG1 but exclude /don’t 
look at SG2 ?

Eswar Koneti

Thank you,

Sherry Kissinger

My Parameters:  Standardize. Simplify. Automate

Reply via email to