Having been through quite a few CM migrations over the past few years, one of the things that I have seen heavily used in previous versions is nested collections, which had a similar functionality in SCCM as nested groups in Active Directory. However, this option has been removed with CM12, leaving administrators to re-think their collection hierarchy practices. Proper folder management is a large part of that, especially in larger organizations, but top level collections are still just as important, if not more, in the new version of Configuration Manager. The main reason for this is that we use these top level collections to limit the memberships of the operational collections that we (and our support staff) use on a daily basis. We group machines together in large criteria to limit deployments, reports, as well as implement security access for those that use Configuration Manager.
When creating collections in Configuration Manager, and when viewing the Membership Rules tab afterwards, there is an option to Use incremental updates for this collection. I strongly caution on the use of this button, as enabling it on more than a hundred collections can create drastic performance issues in your environment. As a general rule, I will use incremental updates for my top level collections only.
Here are a few of the top level collections that I like to implement for new deployments:
All Workstations
Probably the most important top level collection. This one becomes the Limiting Collection for most (if not all) of the collections that are used by the Help Desk. Software Deployment collections are also often limited to this collection, as server deployments are typically done separate from workstation ones. We’ll also use this collection to apply our security to for our help desk, as in most organizations this team does not work on servers.
As with all the top level collections, this is based upon a Dynamic Query. It simply checks for “Workstation” in the Operating System Name.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from sms_r_system where OperatingSystemNameAndVersion like 'Microsoft Windows NT%Workstation%'
All Servers
Similar to the All Workstations collection, the All Servers collection is used to limit deployments to servers, and grant access to server support staff. It uses a similar query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from sms_r_system where OperatingSystemNameAndVersion like 'Microsoft Windows NT%Server%'
All Windows 7 Systems
The All Windows 7 Systems collection can be edited to collect all machines of a particular Operating System. These collections are hugely beneficial for Refresh projects, and targeting OS-Specific applications.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 7%"
All Windows 10 Systems
The All Windows 10 Systems collection is a good base for deployment, however for servicing management the All Workstations is a better target.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 10.0%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 10%"
All Recently Added Clients
This collection is an operational Godsend, as it gives us a quick view into the systems that are added each month. This will not only provide us with some greenfield statistics, but will also give us a narrow list of machines that we can spot check to ensure that compliance is being met in various build respects.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceId = SMS_R_System.ResourceId where DATEDIFF(dd, SMS_G_System_SYSTEM.TimeStamp,GetDate()) < 30
All Non-Client Systems
This is an important collection for new Configuration Manager environments. Many places that I have implemented CM12 do not have a stable method of system inventory, making it difficult to ensure that we have adequate client deployment across the enterprise. Creating this collection will provide us with a good list of all the discovered systems that have been unable to install a client, allowing us to focus on remediation.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Client != 1 or SMS_R_System.Client is null
All Laptops
This is a great collection for targeting mobile devices with things like VPN policies…
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in ( "8", "9", "10", "14" )
Hopefully these will help managing systems and users in Configuration Manager a little bit easier!
É