A few weeks back I was tasked with the enormous task of checking that all device-collections that were associated with an application were linked to a group in the Active Directory and that direct membership wasn’t used. If this had been on a, let us say, ten collections it would have been done in about 20 minutes, but in this case it was over 100 collections… Going the long way of right clicking, choosing “Properties”, waiting a few seconds and the select the correct tab wasn’t an option, so PowerShell to the rescue!!
The script bellow will check the membership rules on all device collections located under the folder “Applications” and create a txt-file with the output under C:\fso\.
$foldername = 'Applications'
$folderobj = Get-WmiObject -Class SMS_ObjectContainerNode -Namespace Root\SMS\Site_P01 -Filter "Name='$foldername'" | foreach {$_.ContainerNodeID}
$list = Get-WmiObject -Class SMS_ObjectContainerItem -Namespace Root\SMS\Site_P01 -Filter "ContainerNodeID=$folderobj" | ForEach-Object{
Get-CMDeviceCollection -CollectionID $_.InstanceKey | foreach {$_.name, $_.collectionrules}
}
$list | Out-File C:\fso\List.txt
The output in the file will look like the image below, I’ve marked the name of the collections in red, the query in green and clients that have been added with direct membership has been marked with orange. (Click for larger image)
By doing this, it took me about 20 minutes to eliminate all device collections that were correctly configured and to remove all clients that were added with direct membership and add them to the correct AD-group instead.
Pingback: PowerShell Guides - A guide to Microsoft ProductsA guide to Microsoft Products