Building SCCM collections and syncing members to an AD security group opens a multitude of new management options for you. For example:
You can improve Group Policy processing time by eliminating WMI filters.[note]Sync OS version collections to a security group to remove the need for an OS WMI filter or sync a laptop collection to a security group to target offline file/wireless settings without WMI.[/note]
or
You could query information about installed software and add computers to security groups that enforce Group Policy Administrative templates for those applications.
To get started with syncing SCCM collections, open the SCCM console. In the top left, select the down arrow and choose Connect via Windows PowerShell ISE.
A new PowerShell ISE window should open with about 30 lines of code. Scroll to the very bottom and add a few blank lines.
Paste in the following:
#Sync SCCM Collections to AD Security Groups
#YOUR COLLECTION NAME HERE
$CollectionMembers = Get-CMDevice -CollectionId COLLECTIONID| Select -Property Name | Sort-Object Name
foreach ($CollectionMember in $CollectionMembers) {
$Member = Get-ADComputer $CollectionMember.name
Add-ADGroupMember -Identity "SECURITY GROUP NAME" -Members $Member.ObjectGUID -verbose
}
Find your collection ID in the SCCM console and add it on the $CollectionMembers line. Put your security group name on the Add-ADGroupMember line. Copy and paste those last 5-6 lines for each collection that needs to be synced to AD.
Setup this script to run as a scheduled task. The computer running this script will need the RSAT Active Directory PowerShell module installed and the SCCM PowerShell module. Be sure that the user running your task can both read the SCCM collection members and write to the specified AD groups. I like saving this script to a Scripts folder on the Primary site and setting it to run every few hours. I also recommend adding a note to the AD security group that members are synced from SCCM – this will avoid a lot of confusion for people later![note]Ask me how I know.[/note]
Let me know how you plan on using this script or if you have any issues when syncing SCCM to AD.