Help! I’m using group AD group membership to distribute applications. I have AD groups that contain machine accounts as members. SCCM is installed in DomainXYZ but I am also managing workstations in DomainABC (in another forest). My collections have a query similar to this: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "DomainXYZ\\APP-MicroSoft_Office-2003 This works well when the AD machine accounts are in DomainXYZ, however, I have machine accounts from DomainABC which are member of the AD group in DomainXYZ. These workstations from domainABC do not appear in my collections. I ran and re-ran the AD system group Discovery with no luck. When I look into the properties of the workstation from DomainABC (in SCCM), specifically the property “System Group Name”, I only see the group membership of the originating domain and not the group memberships domainXYZ . (I configured AD System Group Discovery to scan the DomainABC also). If this is normal behaviour, this means I will have to create my AD group structure in both domains and add something like "OR SMS_R_System.SystemGroupName = "DomainABC\\APP-MicroSoft_Office-2003" to the query in my collections . Has anybody encountered this situation? If so, how did you work around it. Thanks, Jesmat

... = "DomainXYZ\\APP-MicroSoft_Office-2003 What about using .. like "%App-Microsoft_Office-2003" (instead of 'is equal to')?

Hi Torsten, Agreed, but my problem has to do more with that fact that group membership for wks residing in domainABC is not captured. Ex: Wks-XYZ is member of group1-XYZ, Wks-ABC is member of group1-XYZ (ABC and XYZ indicate the domain in which they are located) When I look into the properties of the workstation Wks-XYZ, specifically the property “System Group Name”, I only see the group membership “domainXYZ\group1-XYZ”. When I look at Wks-ABC, SCCM does not see it as member of “domainXYZ\group1-XYZ”. Is this normal? If it is, I’ll just create the group hierarchy in the other domain and modify the query as per your suggestion. Thanks, Jesmat.

Does AD system group discovery work for both domains (adsysgrp.log)? Is there a trust between the domains?

Hi, Yes there is an external trust between the domains. Is this sufficient...does it require a forest trust? Yes have I configured AD System Group Discovery to scan DomainABC. When I look at, for example, Wks-ABC, I can see its group membership in DomainABC only...I still don't see its group membership in DomainXYZ. Jesmat.

Maybe this helps you: http://www.jannesalink.com/blog1.php/2008/10/16/deploy-sccm-packages-based-on-active-dirFollow me through my blog and Twitter!

Hi, Not it doesn't help. AD system Discovery and AD System Group Discovery is configured to scan both DomainABC and DomainXYZ. However, I only see the group memberships of the wks originating domain. Jesmat.

adsysgrp.log What about the logfile I mentioned earlier? What do you see in there when the server is trying to discover resources from the other domain?

Hi, I'm closing this thread. I have not discoverred why I'm having this issue but have done a work arround (we're creating the group structure in both domains and having the wks be a member of the group in its domain). Also, we will be migrating the other domain to our main domain (which has SCCM) by year end and this will no longer be an issue. Thanks for your help. Jesmat