A few weeks back I was tasked with the enormous task of checking that all device-collections that were associated with an application were linked to a group in the Active Directory and that direct membership wasn’t used. If this had been on a, let us say, ten collections it would have been done in about 20 minutes, but in this case it was over 100 collections… Going the long way of right clicking, choosing “Properties”, waiting a few seconds and the select the correct tab wasn’t an option, so PowerShell to the rescue!!
The script bellow will check the membership rules on all device collections located under the folder “Applications” and create a txt-file with the output under C:\fso\.
$foldername = 'Applications'
$folderobj = Get-WmiObject -Class SMS_ObjectContainerNode -Namespace Root\SMS\Site_P01 -Filter "Name='$foldername'" | foreach {$_.ContainerNodeID}
$list = Get-WmiObject -Class SMS_ObjectContainerItem -Namespace Root\SMS\Site_P01 -Filter "ContainerNodeID=$folderobj" | ForEach-Object{
Get-CMDeviceCollection -CollectionID $_.InstanceKey | foreach {$_.name, $_.collectionrules}
}
$list | Out-File C:\fso\List.txt
The output in the file will look like the image below, I’ve marked the name of the collections in red, the query in green and clients that have been added with direct membership has been marked with orange. (Click for larger image)
By doing this, it took me about 20 minutes to eliminate all device collections that were correctly configured and to remove all clients that were added with direct membership and add them to the correct AD-group instead.
Pingback: PowerShell Guides - A guide to Microsoft ProductsA guide to Microsoft Products
Hi There,
I am able to run the script successfully in my SCCM 2012 R2 environment, but I get a WMI Generic error message when I run it in SCCM CB (1806) environment.
Error Below, any thoughts why?
Get-WmiObject : Generic failure
At H:\scripts\SCCM_Collection_MemberRules_SCCM10.ps1:5 char:9
+ $list = Get-WmiObject -computername tpcmpsa1.prod.travp.net -Class SM …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Hi,
Sorry for the late reply but now it’s much easier to get the info.
Just use this cmdlet; https://docs.microsoft.com/en-us/powershell/module/configurationmanager/get-cmdevicecollectionquerymembershiprule?view=sccm-ps
Best regards
Andreas Molin
Most likely, you have two collection folders with the same name. The script currently makes an assumption that your foldername will be unique among all collections for both user and devices. If your folders are unique among devices but you reuse the name for users, you can solve that by changing your filter to only match device collections, as such:
-Filter “Name=’$foldername’ and ObjectType=5000”
ObjectType 5000 are device collection folders, ObjectType 5001 are user collection folders. If, however, you reuse your folder names within device collections, then you will need to make some further adjustments. In this case, I would probably use the following instead – we save the filename rather than typing it (now) three times; the device collection check; removing the file if it already exists; running a ForEach loop against all device collections which match our name check; appending rather than replacing the file, which is why we had our earlier file removal:
$foldername = ‘Applications’
$exportfile = ‘C:\fso\List.txt’
$folderobjs = Get-WmiObject -Class SMS_ObjectContainerNode -Namespace Root\SMS\Site_P01 -Filter “Name=’$foldername’ and ObjectType=5000” | foreach {$_.ContainerNodeID}
if (Test-Path $exportfile) { Remove-Item $exportfile }
ForEach ($folderobj in $folderobjs) {
$list = Get-WmiObject -Class SMS_ObjectContainerItem -Namespace Root\SMS\Site_P01 -Filter “ContainerNodeID=$folderobj” | ForEach-Object{ Get-CMDeviceCollection -CollectionID $_.InstanceKey | foreach {$_.name, $_.collectionrules}}
$list | Out-File $exportfile -Append
}