Collection query based on AD group

Question

Hi,
I wanted to confirm if my observations on AD group name queries are correct as it doesnt seem to be documented anywhere.
First, the AD group name is always the samaccountname attribute. If you change the samaccountname in AD it will break the query. You have to update the group name in CM manually.
If you use a query to select members for a new collection, it will only find user accounts that are direct members of the group - no recursive search.
If you use direct membership however, then it will recursively search for all users be they direct or indirect members of that group.

All the above correct?
Thanks
David Z

Answer 1

Hi, @David Zemdegs

Thank you for posting in Microsoft Q&A forum.

The first and second is Yes.
The third question, when we use direct membership, we can select "All Users" or "All User Groups" as limiting collection.
When we select "All Users", it will search for all users, when we select "All User Groups", it will search the groups we selected as resource.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

For 2, it will depend on how you write you query. Aka are you querying the group itself or are you querying the device within the group. Keep in mind that it is cm client themselves that determine if they are a member of the group, then they tell cm, what they belong too.

Answer 3

For direct membership I am adding the group itself. From my observations this will target all members of that group directly and indirectly.
I just find it strange that this isnt documented and that queries (on a group) only do direct membership.