Create User collections based on AD department attribute with Powershell

If you are an organization who uses the Department attribute in Active directory and want to target users withing those departments for different deployments but you have a lot of departments and you don’t know where to start, well then this post might be useful for you.

 

The script in this post retrieves all the departments that gets collected by the Users AD attribute by ConfigMgr (Not turned on by default needs to get added. See guide below) and from those departments it creates a user collection with a query that populates the collection with all users who are part of that specific department.

 

Below you will the script a step by step guide on how to do this, so lets get started.

 

 

Guide

 

First of all we need to gather the department data from each user in Active directory.

Go to Administraton -> Hierchy Configuration -> Discovery Methods And right-click on Active Directory User Discovery

 

 

Go the pane “Active Directory Attributes” and from there you need to find “Department” in the left side and add it to the right column. When that’s done you

need to initiate a full scan by right-clicking on Active Directory User Discovery and choose “Run full discovery now

 

 

In active directory the attribute looks like this and this is the information we want to gather.

 

 

Before we run the script there’s no user collection except for the default ones,

 

 

We run the script locally on the Primary Site server

 

 

And ones the script finishes (If you have a lot of departments it could take some time to process, approx 1-2 seconds per department)

And we know have User collections based on departments and its users as members of the group.

 

 

That’s all for me and if there’s any questions just post them below.

You can also find me over at www.timmyit.com and don’t forget to follow me on twitter https://twitter.com/TimmyITdotcom

Until next time, Cheers !

//Timmy

 

By | 2017-12-14T19:41:24+00:00 December 14th, 2017|Configuration Manager (SCCM), Powershell, Scripting|10 Comments

About the Author:

Timmy Andersson

10 Comments

  1. Angel December 14, 2017 at 17:27 - Reply

    Good stuff, however the script is failing.
    New-CMSchedule : This command cannot be run from the current drive. To run this command you must first connect to a Configuration Manager drive.
    At line:36 char:10
    + $Sched = New-CMSchedule -DayOfWeek Sunday
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : DeviceError: (Microsoft.Confi…ScheduleCommand:NewScheduleCommand) [New-CMSchedule], InvalidOperationException
    + FullyQualifiedErrorId : CommandCannotExecuteFromCurrentDrive,Microsoft.ConfigurationManagement.Cmdlets.Common.Schedule.NewScheduleCommand

    Get-WmiObject : Invalid namespace “root\SMS\Site_PS1”
    At line:37 char:10
    + $Users = Get-WmiObject -Namespace “root\SMS\Site_PS1” -Class SMS_R_User -Compute …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    • Timmy Andersson
      Timmy Andersson December 14, 2017 at 18:21 - Reply

      Thanks Angel ! I have corrected the error and the script should work fine now 🙂

  2. Austin WongCarter December 14, 2017 at 18:34 - Reply

    Why wouldn’t you add the attribute into AD discovery and then use a Collection Query rule so it would auto-update?

    • Austin WongCarter December 14, 2017 at 18:36 - Reply

      I should read the entire post before replying…

  3. Angel December 14, 2017 at 19:25 - Reply

    “root\SMS\Site_PS1” getting invalid name space. do I have to site site_PS1 for my site code

    angel

    • Timmy Andersson
      Timmy Andersson December 14, 2017 at 19:33 - Reply

      My bad, I’ll fix the script again haha. But in the meantime yes you can just replace PS1 with the site code of your environment. Thanks again Angel !

  4. Jens Nygaard December 20, 2017 at 11:23 - Reply

    Is it possible to put the results into a folder instead of create all the collections in the rootfolder?

  5. […] Full instructions and all the Powershell scripts you would need to carry this out is available from here. […]

  6. Leif June 1, 2018 at 14:57 - Reply

    What if a user moves to another department will the user then stay in the old department-Collection and in the new in SCCM

  7. Holly M Reagon June 15, 2018 at 20:23 - Reply

    Is it possible to undo this once you’ve run the script?

Leave A Comment