I recently learned something that I am surprised never dawned on me. Luckily my coworkers didn’t know this either so I don’t feel bad.
Normally I would use a query rule based off an AD group to populate the user collection. The problem is that I am dependent on collection update cycle as well as what I set for AD discovery of groups. I have seen AD discovery set anywhere from one day to 14 days in different environments.
I am no longer using query rules for adding to add an AD group to a user based collection. Instead, I am doing a direct User Group Resource add using the User Group Name attribute. When you do that, there will only be an entry for the group. The individual users within the domain group will not show in the collection.
Why use a direct group add to a collection over a query rule? If you have a user collection that needs regular updating such as ones that use AD group memberships to determine if a piece of software is available to a user in the Application Catalog, this is perfect for it.
If you used a query rule, after a user is added to the AD group, you have to wait for SCCM to poll AD and pick up the change to the group and then after that for the collection to update before the change is seen in the Application Catalog. This could be hours or the next depending on how things are configured in your environment.
When you use a direct add of the AD group to the collection membership, after a user is added to the AD group, it only requires the user to lock and unlock their system to refresh the AD user token. After the system is unlocked and the token refreshed, the software should show in Application Catalog for the user to install. In our testing, we have seen the software ready for install in less than 5 minutes.
And that is why I now use direct group adds for user group based collections over a query rule.
NOTE: This only works for user collections.