Add an AD Group rule to a collection with PowerShell

It’s been a long time since I’ve posted anything on my blog but after a year of writing with the SCConfigMgr team on a regular basis I thought it was time to give my roots a little bit of loving.

When creating a collection in ConfigMgr its really common that we use an Active Directory group to represent membership to that collection. While it’s not so bad to use a method where you do something like importing a query rule from a saved query or copy pasting a query on a one off basis it’s a little annoying if you need to attach a collection to say fifty or so AD groups. Let’s start off with the requirements:

  1. Installed ConfigMgr Console – This requires the ConfigMgr PSCmdlets
  2. Connection to the ConfigMgr PSdrive – Gotta be attached to ConfigMgr
  3. An Active Directory Group – Kinda obvious

First we’ll want to connect to the ConfigMgr drive – you can read the details on how to do that on my post at SCConfigMgr blog on “How to import the ConfigMgr PowerShell Cmdlets” For our purposes here just know you need to do import them and you can do so with this simple one liner:

Import-Module (Join-Path $(Split-Path $ENV:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1) -Verbose:$false

Once we’ve got the CmdLets imported we get around our second hurdle by connecting to the ConfigMgr PSdrive this is pretty easy to do as well once we import the ConfigMgr cmdlets we can just run the following to connect:

Set-Location -Path (((Get-PSDrive -PSProvider CMSite).Name) + ":")

Great now that we’ve connected to the drive we need to do some actual work. First we need to know the WQL query for an Active Directory Group this one works fine:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "DOMAIN\\GROUPNAME"

Second we need to know the ConfigMgr PowerShell Cmdlet we are going to use: Add-CMDeviceCollectionQueryMembershipRule

Add-CMDeviceCollectionQueryMembershiprule -CollectionName "Test Collection" -RuleName "A collection Rule Name" -QueryExpression "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = 'DOMAIN\\GROUPNAME'" 

Now while the above will work it’s a little messy so it’s time to make a function which then gives us a re-useable building block instead and with a little here string magic we get something that looks like this:

$group = "PROBRES\\MAINT - SERVER - PROD10W1"
$Collection = "MAINT - SERVER - PROD10W1"

function New-ADGroupQuery{
[cmdletbinding()]
param(
    [parameter(Mandatory = $true)]
    [string]$GroupName,
    [parameter(Mandatory = $true)]
    [string]$CollectionName
    )
$Query = @"
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "$groupName"
"@
Add-CMDeviceCollectionQueryMembershiprule -CollectionName $CollectionName -RuleName "All devices that are a member of AD Group $($GroupName)" -QueryExpression $Query
}

New-ADGroupQuery -GroupName $group -CollectionName $Collection

Now that we’ve got a shiny function we can use this to do some cool things like import a whole CSV of groups and AD Group Names iterate through them.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: