I have SCCM installed in Mixed mode. I can distribute apps to the standard collections, but after creating anew collection based onan AD group for distribution, cannot get it to distribute apps to the members of the AD group. So to summarise my objective, I want to have AD groups that I will put either users or computer accounts into.Collections will refer to these AD groups and target the members of that AD group. That way we can use AD groups to put computer or user accounts into and out of to distribute applications. I have created several collections pointing to an AD group. But it doesn't work. I've used various wizards within SCCM and none have created one that actually targeted the members of the AD group. I presume thatSCCM is actually targeting the group itself and not its members. I can see no errors in logsthat appear torelate. Just no activity after the advertisement is attached to the new collection. Surely this should be simple.... Can anyone explain how to do this? Thanks in advance.

Do the SCCM collections that you are creating based on AD groups get populated with the members of the AD groups?Apologies in advance for asking a daft question.

Hello,Please can you post the queries you are using for your collections?When targeting users of a group it is preferable to use a direct membership rule on the User Group Resource with the Unique User Group Name and this would be different from that for machines which should be a query on the System Resource for the System Group Name.Go to the report for the advertisement to check if those experted resources are targeted.Finally, if you do make users or machines members of a group, the user would need to log in again and the machine would need to be rebooted.Concentrate on the Advertisement Status and the Advertisement report, then the logs for client system after noticing movement form the previous 2 and remember that advertisements targeted at users still require for the user to be logged on to a system for it to register as target.Hope this is helpful.NB: This would normally appear in the Software Distribution thread.Regards,Akin

Thank you both for taking the time to read and reply. I created collections using the "User Group Resource" and "System Group Name" under the catagories and it worked for both user and computer account. Many thanks. I'm yet to see if it dynamically updates these collections when I update the AD groups. It takes a lot of time I've noticed. I will look at tomorrow to see if it updates. But this is a much lower concern. Regards, Geoff.

to_Geoff wrote: I'm yet to see if it dynamically updates these collections when I update the AD groups. It takes a lot of time I've noticed. Hi, To speed this process up you can configure a tighter schedule to update the collection membership. You can configure this on the Membership Rules tab of your collection properties.

However, understand that the more quickly collections update, the more SQL Server and site server processing is required. Same goes for discovery, the more frequent, the more processing required to discover resources, create DDRs, and process them. You have a trade-off - performance versus more frequent data collection.

Why does the user need to login again or the machine need to reboot? I understand if you add a user to a group the permissions granted to the group will not be effective until the user logs off/on -- I understand that from a permissions / AD perspective. Can you explain how this works with SCCM? If a add the user directly to a collection he'll get the advertisement without a log off/on. How is it different when AD groups are involved. Can you explain how a SCCM client queries for advertisements in relation to what group tokens it has?

It's not a matter of security tokens when ConfigMgr comes into play. The siteserver performs an AD user/computer discovery and adds AD group information to a user/computer object in the ConfigMgr database then. The user/computer will then become a member of one or more collections (depending on its criteria). A ConfigMgr policy is created for each advertisement that targets a user/computer object. The ConfigMgr client is polling the MP for policies in a defined interval, so there's no need for logoff/reboot (because the information user/computer <--> advertisement is stored in the ConfigMgr databse).

Thanks for the explaination!Now - if user/group targeting works as stated, why isnt' software distribution that is targeted to users (either directly or through Microsoft Windows security groups) supported for Internet Based Client Managment (IBCM)?Overview of Internet-Based Client Managementhttp://technet.microsoft.com/en-us/library/bb693755.aspxThanks!

Following the link you posted, right in there is the answer to your "Why isn't... ?" question: "The features that are not supported for Internet management typically rely on Active Directory Domain Services (which is not accessible from the Internet)"Standardize. Simplify. Automate.