#ConfigMgr Speed up AD-Group discovered Client Push Installation #SCCM

Imagine the following situation:

You have to deploy SCCM a well controlled and step by step. You want to use (automatic) push installation.

This can be done by putting the PCs you want into AD-groups and throw some GPOs at them, to add an ConfigMgrPush Account to local admins for example.

Then Active Directory Group Discovery has to be set up to discover items in the selected AD-Group.

Now, when you put in a PC to this AD-Group, it will be discovered in a short time (5 Minutes in standard delta discovery settings).

After discovery, SCCM will try to push the client to the new PCs but it fails, because the ConfigMgr push account is not a local admin. This happens, because a reboot is needed for the PC to be aware of new group memberships and applying the GPO.

You now can wait until every PC is rebooted, or do the following:


Create a collection for PCs without an installed client:


Add a new query rule


Click “Show query language” and paste the query (delete linebreaks after inserting)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select SMS_R_System.ResourceId from  SMS_R_System where SMS_R_System.Client = 1) and (SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Workstation 6.1")     





Now that you have created the collection, it´s time for some Powershell and psexec.

Download psexec and place it somewhere on your SCCM Server, e.g. c:\psexec

Create a powershell script that gets all members of the “no client” Collection, refreshes PC AD-Group Membership and forces a gpupdate:

$SiteServer = ‘localhost’

# Replace  YSC with your SiteCode

$SiteCode = ‘YSC’
$CollectionName = ‘All Windows 7 PCs without installed Clients’
#Retrieve SCCM collection by name
$Collection = get-wmiobject -NameSpace "ROOT\SMS\site_$SiteCode" -Class SMS_Collection | where {$_.Name -eq "$CollectionName"}
#Retrieve members of collection
$SMSClients = Get-WmiObject -ComputerName $SiteServer -Namespace "ROOT\SMS\site_$SiteCode" -Query "SELECT * FROM SMS_FullCollectionMembership WHERE CollectionID=’$($Collection.CollectionID)’ order by name" | select Name
#Try to Refresh AD-Goup Membership and force gpupdate for every collectionmember
ForEach ($SMSClient in $SMSClients){
write-host "Next Client:" $SMSClient.Name
$hostname = $smsclient.name

c:\psexec\psexec.exe \\$hostname -s cmd /c "klist -li 0x3e7 purge"
c:\psexec\psexec.exe \\$hostname -s cmd /c "gpupdate /force"

If the script runs successfully, you will get an output like


To get this working, the account running the script needs to have the right to access the client PC!

Now that the group policy is applied, the ConfigMgr Push Account can install the client.

To go even further you could schedule this task, or even better, let Orchestrator do the job.






Refresh Active Directory Group Membership of PC without reboot


If you ever tested stuff that is based on AD-Groups for Computers – like GPO Software deployment – you have experienced that the PC “knows” its new group membership only after a reboot or after seven days of waiting….

After searching a while I found a way to get membership changes without reboot:

Open a command promt in the system user context and purge the kerberos tickets to get new ones, e.g. with the great tool psexec :

a) Download psexec

b) open an elevated command promt, navigate to the folder you downloaded psexec to and start psexec with the paramter “-s” to start the session on the local PC in system user context:

psexec –s cmd


c) run “klist –li 0x3e7 purge


d) the Keberos tickets get renewed and the new group membership is also populated Smiley


On Windows 7 and beyond/Server 2008 and beyond klist is coming with the OS, on Windows XP/Vista/Server 2003 you have to get klist form the Windows Server 2003 Resource Kit Tools.


Thanks to Darren for sharing this great tipp!