If you are an organization who uses the Department attribute in Active directory and want to target users withing those departments for different deployments but you have a lot of departments and you don’t know where to start, well then this post might be useful for you.
The script in this post retrieves all the departments that gets collected by the Users AD attribute by ConfigMgr (Not turned on by default needs to get added. See guide below) and from those departments it creates a user collection with a query that populates the collection with all users who are part of that specific department.
Below you will the script a step by step guide on how to do this, so lets get started.
Created on: 12/12/2017
Created by: Timmy Andersson
Gets department attribute from user and creates user collections based on that adds all the memebers of that department to the user collection.
This script is ment to run on the Primary Site.
$SiteCodeObjs = Get-WmiObject -Namespace "root\SMS" -Class SMS_ProviderLocation -ComputerName $env:COMPUTERNAME -ErrorAction Stop
foreach ($SiteCodeObj in $SiteCodeObjs)
if ($SiteCodeObj.ProviderForLocalSite -eq $true)
$SiteCode = $SiteCodeObj.SiteCode
$SitePath = $SiteCode + ":"
Import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0, $Env:SMS_ADMIN_UI_PATH.Length - 5) + '\ConfigurationManager.psd1')
$LimitingCollections = "All Users"
$Users = Get-WmiObject -Namespace "root\SMS\Site_$($Sitecode)" -Class SMS_R_User -ComputerName $env:COMPUTERNAME -ErrorAction Stop
$Groups = $Users.department | Sort-Object | Get-Unique
$Sched = New-CMSchedule -DayOfWeek Sunday
foreach ($Group in $Groups)
if (Get-CMUserCollection -name $Group)
$Query = "select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.department = '$($Group)'"
New-CMUserCollection -Name $Group -LimitingCollectionName $LimitingCollections -RefreshSchedule $Sched
Add-CMDeviceCollectionQueryMembershipRule -CollectionName $Group -QueryExpression $Query -RuleName $Group
First of all we need to gather the department data from each user in Active directory.
Go to Administraton -> Hierchy Configuration -> Discovery Methods And right-click on Active Directory User Discovery
Go the pane “Active Directory Attributes” and from there you need to find “Department” in the left side and add it to the right column. When that’s done you
need to initiate a full scan by right-clicking on Active Directory User Discovery and choose “Run full discovery now”
In active directory the attribute looks like this and this is the information we want to gather.
Before we run the script there’s no user collection except for the default ones,
We run the script locally on the Primary Site server
And ones the script finishes (If you have a lot of departments it could take some time to process, approx 1-2 seconds per department)
And we know have User collections based on departments and its users as members of the group.
That’s all for me and if there’s any questions just post them below.
Until next time, Cheers !