PowerShell to the rescue – Clean up direct collection memberships

We where talking to a customer about how to avoid waiting for Active Directory group synchronization to occur and place a device in the correct collections faster than “until the next synchronization”.

The main problem with this setup was caused by the fact that they used a group-in-group membership to identify collection memberships and apparently SCCM 2012 don’t include indirect changes to group membership as delta changes (I have not tested this in details yet).

So we came up with the idea to just create a direct membership to place the device in the collections instantly to make sure that it was there when the first policy is loaded on the client.

While that would work for cutting the synchronization time down to near nothing, it creates a new problem, any changes made to the group membership would not affect the collection correctly as a member would not be removed if a direct membership is still in place. So to fix this we need a process to clean up this mess.

The solution was fairly simple to do using a PowerShell script

Please note that the script is meant to run on the server using current credentials. The script was tested on SCCM 2012 SP1 and with PowerShell 3.0 and is provided as is, any comments and input are welcome.

Now let’s start coding …

 

First let’s create a function to and make the script simple to call using a few arguments.


 

Next we need to get the collection object from SCCM. Then we create two arrays for later use. Next we need to find all direct members of the collection, we store these in the $directmembers variable.


 

Before doing a lot of work we check to see if there was any directmembers, if not there is no reason to continue this process.


 

The we loop through all rules that contains a query. The query expression is run directly using WMI to get the members.

Any resources found using the query is then added to the $members array (if not already there).


 

Now that we have all directmembers and all members from any queries, we can do the cleanup.

We loop through all the direct rules and check if the referenced resource is found in the members array (that contains all members from any query)

If we find the resource, we can safely delete the direct rule from the collection.


 

Finally we request a membership refresh on the collection so that SCCM is in sync.


 

The last bit we need is to call the function using the arguments supplied


 

That’s it folks, now the collection only contains members that are either query-based or direct members and not both.

To call the script using a syntax like this, you will of cause have to replace sitecode and collectionid with your values.


 

The complete PowerShell script can be downloaded from the link below

Download “CollectionCleanup” CollectionCleanup1.zip – Downloaded 528 times – 1 KB

By | 2013-03-12T12:31:15+00:00 March 12th, 2013|Configuration Manager (SCCM), Powershell|3 Comments

About the Author:

Ronnie Jakobsen
Twitter: @RonnieJakobsen

3 Comments

  1. David O'Brien (@david_obrien) March 12, 2013 at 21:34 - Reply

    Hi Kent,
    nice work with WMI!

    I wrote a script just a week ago doing the exact same thing with the native SP1 cmdlet
    http://www.david-obrien.net/2013/02/24/remove-direct-membership-rules-configmgr/

    But as I said several times the last days: I still like the WMI approach more, because of error handling and output.

    • Ronnie Krarup Jakobsen
      Ronnie Krarup Jakobsen March 13, 2013 at 8:59 - Reply

      Hi David, sorry I am not the Kent you might think I am , my name is infact not even Kent, It’s Ronnie :-), but your comments are still very welcome.

      I took a quick look at your script and there is a small different compared to my script. Your script removes all direct memberships from a Collection, whereas mine only removes direct memberships for ressources that are also member by one or more queries.

  2. anan2k December 18, 2013 at 15:03 - Reply

    Hi Ronnie

    Your scripting is simply gr8!.
    i am in similer need, but i am not into powershell , will you able to help me?

    1. Obtain the list of “All Users” collection that have been defined as a Primary User of a device, and what that Users ShortName and Device name is

    2. Obtain the list of user from Active Directory that have their “Title” attribute equal to “Non-Employee” (samAccountName)

    3. For each user that is returned from AD, determine if they are assigned as a Primary User of a Device and write the Device name to a file

    4. Continue to append all of the applicable Device names to the file

    5. End Result = List of all Devices that have Users that have their AD Attribute “Title” equal to “Non-Employee”

Leave A Comment