Given the best practice limit of 200 incremental collections in Configuration Manager 2012 and the desire to provide near real-time updates to collections based off a significant number of Active Directory groups, I decided to write a script that replicates the incremental collection functionality (with some intelligence).

This script;

  • Enumerates collections in Configuration Manager using WMI (SDK) or SQL (faster)
  • Finds collections referencing Active Directory groups
  • Checks the corresponding groups in Active Directory to see if they have been updated since the last script execution (minus 7 minutes to cater for delta update timing in Configuration Manager)
  • Requests updates of collections that have groups which have been updated recently

Script requirements

  • Access to query collections (either using WMI or SQL depending on your preference)
  • Access to request collection updates for relevant collections
  • Access to read relevant directories
  • Assumes Active Directory Group Discovery is configured with a 5 minute delta update

Script Setup

The script is configured to cater for multiple domains if necessary. By default, if a group name is specified as like ‘%groupname’, the domain section will be replaced with the user domain of the account running the script (using environment variables). You can edit this at the top of the script by editing the array $configureddomains”

Script parameters

Parameter Name Type Default Value Description
UseWMI Switch False Using SQL to query for collection queries is much faster, however you may prefer to use WMI.
WRITELOGFILEPATH String C:Windowstempscriptname_yyyyMMdd.log The path you want to log to
TimeDifference int 10 The time zone offset
lastrunflagfile string lastrun.txt The path to where to write and read the last run text file from. The date modified time of this file is used to determine when the script was last executed. It is created at first run.
SQLServer string $env:computername The SQL Server name and instance (if not default) in the usual format SERVERinstance
DBName string CM_P01 The Configuration Manager database name
SCCMServer string $env:computername The Configuration Manager server with the SMS provider installed (usually the ConfigMgr primary server)

Current limitations

  • The group name in the query must match Active Directory (ie. a query searching for groups with a name like %cmrole% won’t work unless there is a group called cmrole)

Recognized future improvements

  • Archive log files
  • Recursive search of sub groups
  • Remotely trigger machine policy for computer objects

Change Log

Version Author Description
0.1 Scott Breen Initial Version
0.1 Scott Breen General tidy up and error checking
0.1 Scott Breen Updated with option to connect to WMI rather than SQL

Disclaimer

Disclaimer: This script is offered “as is” with no warranty. While these scripts are tested and working in my environment, it is recommended that you test these scripts in a test environment before using in your production environment.

Download

You can find the download link on TechNet Gallery – Invoke Delta Active Directory Group Collection Update for ConfigMgr 2012