Let’s create SCCM collection based on Active Directory OU. You can create device collection based on the AD organizational unit (OU). You can create device and user collections based on AD OU.
You can also create collections based on AD groups. You must enable Active Directory Group discovery to use device collections based on Active Directory groups. The device or user collections based on AD OU helps to segregate devices based on entity, location, etc.
Azure AD doesn’t have the granularity of creating OUs (Organization Units). SCCM adds devices into the Azure AD group depending on the Collection membership. This feature can be used for static or dynamic collections. The feature helps create Azure AD device groups based on OU if those devices are Hybrid Azure AD.
You can also create a dynamic device or user collections using Active Directory OU. So the dynamic collections are built based on WQL queries.
- Verify SCCM Collection Query Preview Tool
- What is Collection, How to Create SCCM Static/Direct Collections
Move Devices to a Different Active Directory OU
Let’s understand how to move devices (computer records) to a Different Active Directory OU. By default, all the computer accounts are placed in Computers OU. I tried to move some of the device records from Computers to SCCM – IT Organization Units.
- Open DSA.MSC (Active Directory Users and Computers) from command prompt.
- Navigate to Computers OU and select the device records – Rught click and select the button MOVE.
- Now, you need to select destination OU (SCCM – IT).
- Click OK to complete the move.
Create Device Collection based on AD OU
Let’s create a dynamic device collection based on AD OU. I wanted to create a collection based on the user’s department. This also helps manage the device in a dynamic way when a user moves the department.
You can also use the implicit uninstall feature in SCCM to uninstall applications when the user moves from one department to other. Follow the steps described below?
- Open SCCM Admin console.
- Navigate to \Assets and Compliance\Overview\Device Collections.
- Right Click Device Collection node and select Create Device Collection.
Let’s specify the details of the device collection.
- Enter the Name Of the Collection – HTMD IT Dept Devices.
- Enter the Description of the Collection – Collection based on AD OU IT Departement.
Select the Limiting collection – Select a collection to use as a limiting collection. The limiting collection establishes the resources you can add to this collection using membership rules. And click on the Next button to continue.
NOTE! – Avoid using All Systems or All Devices collection as Limiting Collection as explained in fix SCCM Limiting Collection Issue.
Create WQL Query for Active Directory OU Devices
Let’s Create WQL Query for Active Directory OU in this section. You can either copy the WQL query given in this post below, or you can follow the step to understand the best way the WQL query.
The membership rules determine the resources included in the collection and when it updates. You can use membership rules to add specific objects or a set o objects from a query. In this case, it’s based on the OU of a particular Windows 10 or Windows 11 device.
- From the Membership Rules page of the Create User Collection Wizard, in the Add Rule list,
- Select the type Query Rule membership rule for this collection.
You can configure multiple rules for each collection. Select Query Rule to continue with the creation of dynamic device collection.
On the Query Rule Properties windows, specify the following information, such as the name of the query, resource class, etc.
- Enter the Unique Name of the Query – HTMD IT AD OU Based Query.
- Select the Resource Class as System Resource for device collection.
- Click on Edit Query Statement button to contue building dynamic query from Query Statement Properties.
- Click on Criteria tab to conitnue.
- Now, you need to click on the * button from the results window to build the dynamic device collection based on Active Directory OU.
From the Criterion Properties window, click on the select button to select the Attribute for the WQL query. You need to choose different attributes from the “Criterion Properties” window from the ” Criterion Properties ” window.
- Criterion Type – Simple Value.
- Click on the Select button.
From the select attribute window, you need to select class, alias as, Attribute, etc. As shown in the below list, you need to create a WQL query based on Active Directory Organizational Unit.
- Attribute Class – System Resource (from the drop down list).
- Alias as – No Alias.
- Attribute – System OU Name.
- Click on the OK button to continue.
The Where field in the Criterion Properties window is filled with the value with System Resource – System OU Name as explained in the above list.
- Operator – is queal to.
- Click on the Value buttom.
- Select MEMCM.COM/SCCM/IT OU from the Values window.
- Click on the OK and OKbutton to coninue.
Click on the Show Query Design button from the Query Statement Properties window.
select * from SMS_R_System where SMS_R_System.SystemOUName = "MEMCM.COM/SCCM/IT"
WQL Query Results Preview – AD OU based Dynamic Device Collection
Let’s validate WQL Query with the Query Results Preview option in SCCM. This helps to confirm whether the WQL query (Dynamic query) based on Active Directory OU is working fine or not.
- Click on the GREEN video play button from Query Statement Properties window.
- Click on the RUN button from Query Results Preview window to get the results of WQL query.
- Check the results and if it’s ok, click on the Close button.
Create SCCM Collection based on Active Directory OU
Let’s complete the process of creating SCCM Dynamic Device Collection based on Active Directory OU in this section of the post.
Click the OK and OK buttons to complete the dynamic query creation process.
Click on the Next button to continue. I normally keep the default Full Update Schedule for the collection. Also, it’s better to avoid using the option called “Use Incremental updates for this collection.”
Let’s complete the dynamic device collection based on the Active Directory OU creation process by clicking on the Next button three (3) times and clicking on the Close button.
Troubleshooting – Fix SCCM Collection based on AD OU Issue?
Let’s see how to start troubleshooting and Fix SCCM Collection based on the AD OU Issue? The following are some of the tips where you can start troubleshooting.
When you don’t see any devices in the collection, you will need to ensure that AD System Discovery is working fine. SCCM can identify the changes of OU for a number of devices because of the OU move that we had performed, as explained above.
Check the log file called ADSysDis.log from F:\Program Files\Microsoft Configuration Manager\Logs to confirm the discovery with new OU details is already completed or not. The following entries should be in the log file with new OU details.
INFO: search filter = '(&(uSNChanged>=4149766)(&(objectClass=user)(objectCategory=computer)))'
INFO: discovered object with ADsPath = 'LDAP://ADMEMCM.MEMCM.COM/CN=WINDOWS11,OU=IT,OU=SCCM,DC=memcm,DC=com'
INFO: DDR was written for system 'WINDOWS11' - F:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\adsyo8g1.DDR
You can check the collection evaluation details from the console “\Monitoring\Overview\Collection Evaluation” node. You can get more information from the CollEval.log file.
In this example, the Collection ID = MEM00028. You can see that the collection is updated with new 4 entries.
Update flags for collection: EvaluationCRCChanged=TRUE, ScheduleCRCChanged=TRUE, AwaitingRefresh=TRUE
A manual refresh has been requested for collection MEM00028
[Single Evaluator] Starting
PF: [Single Evaluator] starts to evaluate collection [MEM00028]
Results refreshed for collection MEM00028, 4 entries changed.
PF: [Single Evaluator] successfully evaluated collection [MEM00028] and used 1.297 seconds
Result
Now, ConfigMgr Collection based on AD OU is ready for App Deployment. There are seven (7) devices in the OU called SCCM\IT, as you can see in the below screenshot. I used this OU to create a dynamic device collection based on Active Directory OU.
Now, let’s understand why there are only four (4) devices are shown in the collection. This is because SCCM couldn’t create the DDR from the Active Directory System Discovery process.
The rest of the three (3) devices are not reachable (and no DNS records?), and that could be the reason for missing these three (3) devices.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Even preferable are PowerShell scripts with embedded LDAP querying AD (or AAD) directly to create these SCCM collections using the correct cmdlets.
This is the method I use for creating device collections, but this does not actually query Active Directory for the results. It queries the computer for the OU that the computer is assigned to. This works as long as every computer connects to Active Directory after you make an OU change. If you have a laptop that you move to a different OU in Active Directory, your query and device collection will not be accurate until that laptop connects to Active Directory and gets the new OU information. Am I right or wrong?
I followed this and it works very well. The problem we are seeing is not that some computers are not showing up that are ctually in that particular OU. The issue is that we are seeing many other objects in the query run complete listing which are not there when you look inside ADUC. In ADUC, I see only 2 computers, but in the query I see 10. What causes this? It’s like ghosted objects that might have once been located in this OU. Any info on how to fix this?