Hi, I've made a collection and some membership rules based on membership in Active directory security groups - when I add a computer to the security group and then run active directory security group discovery and then update collection membership, then the computer becomes a member to the collection. When I remove the computer from the Active directory security group - run active directory security group, active directory system group discovery and active directory system discovery - and then update collection membership the computer is still a member in the collection. My question is then how do I remove the computer from the collection when it is no longer member of the active directory security group ? Thanks in advance !!!

AD System Group Discovery is to find the OU and system group information for systems assigned and AD Security Group Discovery used to find security groups for users and computers. you should have created collection based on sec group with system group name criteria to find the computers that are all member of sec group(this requries AD system group name) and this doesnt require AD security group discovery. when you remove the computer from sec group and computer should be removed from collection when AD system group discovery runs and collection is updated. can you post the WQL query which you are using please ? what does the discovery logs says ? My Blog @ www.eskonr.com

I've tried AD security group discover here is the query - it find computers in the security group "office 2010" but do not delete them when computer is no longer member in security group select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "domain\\OFFICE 2010" is it the discovery log on the server or client ? do you have the name on the log ? On my clients properties the system group name is still domain\OFFICE 2010 and I have removed it from my AD security group

Hello - Discovery logs are on the server. See the log file details below http://technet.microsoft.com/en-us/library/bb892800.aspx Adsgdis.log Records Active Directory Security Group Discovery actions. Adsysgrp.log Records Active Directory System Group Discovery actions. Adsysdis.log Records Active Directory System Discovery actions. Anoop C Nair

after removing the computer from AD sec group ,Can you wait until AD system group discovery runs(or Run manually if it doesnt cause network bandwidth issues) and try updating the collection membership. You can monitor adsysgrp.log from SCCM server(Drive:\SCCM installation dir\Logs) for more info. My Blog @ www.eskonr.com

thanks I'll be back after looking through logs !

The discovery only DISCOVERY objects, doesn't delete. If you want to automate, you have to enable the "Delete Aged Discovery Data Task". These task deletes aged client discovery data from the Configuration Manager 2007 site database. This data can include records resulting from heartbeat discovery, network discovery, and Active Directory Domain Services discovery methods (System, User, and System Group). http://technet.microsoft.com/en-us/library/bb693856.aspx

Well it seems that the discovery process is ok - but my computer client doesn't get updated - when I look at the properties - general - discovery data - system group name is still present with domain\OFFICE 2010 I have updated client through initiate update, why doesn't it get updated with the information ? that it is no longer member en Security group ?

well should it update the client with it's security group membership - and no longer be member in collection when removed from AD security group