Using PowerShell to Create Multiple Device Collections in SCCM 2012 R2 Based on Active Directory Organizational Units (OUs)

Hi All,

In this article I will be discussing and providing a PowerShell script I recently wrote which will query OUs in Active Directory and create device collections in System Center Configuration Manager 2012 based on the OU name. All machines that have the SCCM agent installed and are located in those OUs will be populated into the newly created collections. This can save a great deal of time if you have many device collections to create. You will need to have the “Active Directory” and “Configuration Manager” modules for PowerShell” installed on the computer you are running this script from. The session must also be changed to point to the Configuration Manager PSDrive. The script needs to be run using the x86 version of PowerShell . There are a few ways to do this but for the purpose of this article, I will go thru the steps I feel are the easiest to set up the prerequisites.

Log on to a server where the Configuration Manager Console installed and install the Active Directory Module for PowerShell on this machine so you can access those cmdlets. Next, Open the Configuration Manager Console, click the down arrow in the top left corner and choose “Connect via Windows PowerShell” as shown below.

A PowerShell window will now open which will have the Configuration Manager Module for PowerShell loaded and the session will be pointed to the Configuration Manager PSDrive as shown below. Since PowerShell 3.0 was required for the Configuration Manager PowerShell module, the Active Directory Module will load in automatically when one of its cmdlets is accessed from the script.

Now  copy the following code into a notepad and save it with a .ps1 extension or download the full script here New-OUBasedDeviceCollection. Then read the following sections for usage and parameter information before running the script.

[string]$LimitingCollection = 'All Desktop and Server Clients',
[string]$SearchScope = 'Subtree',
[string]$RefreshType = 'Manual'
$OUS = Get-ADOrganizationalUnit -searchbase $searchbase -SearchScope $SearchScope -Filter * -Properties canonicalname
foreach ($OU in $OUS) 
    New-CMDeviceCollection -Name "$Name $append" -LimitingCollectionName $LimitingCollection -RefreshType $RefreshType
    Add-CMDeviceCollectionQueryMembershipRule -CollectionName "$Name $append" -QueryExpression "select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType,
    SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName
   = '$Canonical'" -RuleName "$Name $append OU"

Parameters Explained

For my example, I will be copying the script I named “New-OUBasedDeviceCollection.ps1” to the “C:\SCCMScript” directory. Now before we run the above script, I need to explain how to use the parameters so it will properly execute. There are 5 parameters that can be specified.

Searchbase – It is necessary that you specify this parameter. With this parameter you specify the distinguishedname of the top level OU where you want to start your search for collection creation. In this example I will use “OU=Servers,DC=pipe2text,DC=com”.

LimitingCollection –This parameter is used to define the Limiting Collection for your device collection. If you do not specify this parameter it defaults to the “All Desktops and Server Clients” device collection.

SearchScope – This parameter tells the script how deep under the initial OU to search for OUs to create device collections (In this example the “Servers OU”). There are 3 options to choose from and they are “Base”, “OneLevel” or “Subtree”. If you do not specify this parameter it will default to Subtree. In my example Subtree would create a collection group based on every OU located under the Servers OU (Including the Server OU). For the OUs in the illustration below you would have a collection group created for the Servers, Print, File, Mail, and SQL OUs.

Append- The append parameter is used to append any text you would like to add at the end of the collection group name and the rule name. For example, take the above illustration, if you specified the word “Servers” it would append the word Servers for each collection name and rule name as shown below. As you can see, the collection name is called “File Servers” and the Rule Name is called “File Servers OU”. If you do not specify the Append parameter no text will be appended (In this example the collection name would be “File” and rule name would be “File OU” if not specified).

RefreshType- This parameter lets you set the option to “Use incremental updates for this collection”. Choose either “Manual” or “ConstantUpdate”. Choosing Manual leaves the box unchecked (shown below). Choosing ConstantUpdate checks the box. If this parameter is not specified the default is Manual.

Now that I have explained all of the parameters, let’s run the script.

Running the Script

In my example I will be creating Collection Groups based the “OU=Servers,DC=pipe2text,DC=com” Organizational Unit and every OU underneath it. The Limiting collection will be “All Desktop and Server Clients”, we will append the word “Servers” and check the box to “Use incremental updates for this collection”. My script is located in the “c:\sccmscript” directory. Go back to the PowerShell Console we opened from the SCCM Console earlier and run the following command changing the parameters so they are suitable for your environment. Specify the full path to the location where you saved the script. Remember, The session must point to the Configuration Manager PSDrive for the script to run properly.

The Command:

C:\SCCMScript\New-OUBasedDeviceCollection.ps1 -searchbase “OU=Servers,DC=pipe2text,DC=com” -LimitingCollection “All Desktop and Server Clients” -SearchScope Subtree -Append Server -RefreshType ConstantUpdate

Output for each created device collection will look similar to the following illustration:

Now if you look under “Device Collections” under the “Assets and Compliance” node in the SCCM 2012 Console you will see your new device collections as shown below (You may need to refresh the console before you see them).

I hope this helps. Remember, always test this and other scripts in a lab before deploying to production. If you have any questions of feedback, please leave a comment. Thanks!

Related Links:

Using PowerShell Export Devices In Need of the SCCM 2012 Client to a CSV File

Share Button
Author: BC

BC is a contributor and has been an IT Professional for 15 years. He currently works as a Sr. Systems Engineer at a private firm. He enjoys working with Active Directory, Exchange and VMware among other technologies.

6 Responses to Using PowerShell to Create Multiple Device Collections in SCCM 2012 R2 Based on Active Directory Organizational Units (OUs)

  1. NIles says:

    I have been trying to get this script to work but not having any luck. If I run this from in SCCM 2012 I get a “not digitally signed” error. I am assuming that is due to running this under x64 Powershell, again assuming that SCCM 2012 is launching that version from the console. I did run the Set-ExecutionPolicy Unrestricted command successfully.

    If I run this script outside of SCCM 2012 in a x86 Powershell it appears that it is trying to work but I get the following error.

    New-CMDeviceCollection : The term ‘New-CMDeviceCollection’ is not recognized as the name of a cmdlet, function, script
    file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
    and try again.
    At C:\SCCMScript\New-OUBasedDeviceCollection.ps1:38 char:5
    + New-CMDeviceCollection -Name “$Name $append” -LimitingCollectionName $Limiti …
    + ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (New-CMDeviceCollection:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

  2. Niles says:

    What is need to get this to work using SCCM 2012 R2 and PowerShell x86? Currently SCCM 2012 R2 kicks off the 64 bit version of Powershell.

    Please advise,

  3. Niles says:

    Never mind. Figured it out. I need to run the follow PS.

    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

  4. Niles says:

    Do you have a PS script for User Collections?

  5. Niles says:

    Do you have A User version of this script?


  6. Niles says:

    Ok for those of you looking for a User based version of this script, here you go. ENJOY!

    [string]$LimitingCollection = ‘All Users and Groups’,
    [string]$SearchScope = ‘Subtree’,
    [string]$RefreshType = ‘Manual’
    $OUS = Get-ADOrganizationalUnit -searchbase $searchbase -SearchScope $SearchScope -Filter * -Properties canonicalname
    foreach ($OU in $OUS)
    New-CMUserCollection -Name “$Name $append” -LimitingCollectionName $LimitingCollection -RefreshType $RefreshType
    Add-CMUserCollectionQueryMembershipRule -CollectionName “$Name $append” -QueryExpression “select SMS_R_USER.ResourceID, SMS_R_USER.ResourceType,
    SMS_R_USER.Name,SMS_R_USER.SMSUniqueIdentifier,SMS_R_USER.ResourceDomainORWorkgroup,SMS_R_USER.Client from SMS_R_User where SMS_R_User.UserOUName
    = ‘$Canonical'” -RuleName “$Name $append OU”

Leave a Reply

Your email address will not be published. Required fields are marked *