This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 27%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECR%3C/text%3E%3C/svg%3E)
Hello. I have a deployment assigned to me that will reference an AD Security group. We did this a few months ago and the time it took was brutal for all to get the software. It took almost 6 weeks to finish. I checked discovery method settings for AD User Discovery and it's set to every 6 hours. In the client policy, it's set to check every 30 minutes. Can you guys think of things to check to speed this up?
I wanted to do a direct user add collection for this new deployment, but I was overruled for a variety of reasons.
There is a slight difference in a user collection, where the collection contains the resourceIDs of the users, that happen to be in a usergroup. That type of collection query requires multiple timings: 1) the user being added to the group, 2) the group discovery occuring (not user discover, group discovery), and 3) the collection update/refresh. Depending upon timing, that can take a while.
The other type of user collection where the defining factor is the usergroup, is where the collection contains one and only one resourceid: the resourceid of the Usergroup. That's the kind I prefer. That way, the group really only needs to be discovered once, initially (and re-discovered on a schedule), but you don't need to wait for group discovery for "new users added".
When you make the User Collection, make sure you select "user group resource" as the resource class, and the collection query is similar to... where SMS_R_UserGroup.UsergroupName = "That Group Name". When the collection updates, there should be only one entry in the collection--even if in AD there are hundreds of users.
The beauty of this type of collection is that CM knows the token sids associated with usergroups that the user belongs to; and upon user policy refresh, it'll deserve policies deployed to this usergroup. So, in the end, let's say Mary Smith is added to "Widgets_3.0" group. Mary Smith simply needs to lock and unlock her console following that group membership add in AD, and CM will know about it, and immediately deserve the policy.
If you do it the other way (the collection ends up containing the resourceid for 'Mary Smith'), that means group discovery, collection update, and then finally policy refresh.
Thanks Sherry, I think this is the best bet. When you say set the collection query to 'SMS_R_UserGroup.UsergroupName = "That Group Name," do you mean the AD User group name for 'That group Name' example?' Also, for the collection resource class of 'User Group Resource,' which attribute is it: 'Unique User Group Name' or just 'User Group Name?' Thanks again.
either unique or just will work--you just have to put in the right thing to match.
unique would be like... 'YourDomain\Widgets 3.0"
just the name would be like "Widgets 3.0"
When you go through the collection query builder / wizard, you can see the choices (might take a while to enumerate, depends how many groups you have).
@sherry Thanks so much for your suggestion(s). Everything is working now like I had hoped. As soon as I unlocked a pc in my testing, the software installed very quickly. Within 5 minutes.
How exactly have you setup your Collection for this deploymnet? What do you mean it is take 6 weeks to complete?
A new AD security group will be created for this new deployment. End users will be added into the AD Sec group. Then in SCCM, I'll setup the user collection and create a query based on that new AD Security Group.
The previous deployment, was setup the same way. It took about 6 weeks for everyone to get the software.
But still doesn't say if the problem is discovery, your other IT team or the clients themselves.
What do the logs say is happening?