3.3 Exclusion Collections
An interesting situation occurs when trying to create a collection for systems that do not
match a condition. As an example, it is easy to create a collection of
systems that have a particular file deployed to them. It is more
difficult to create a collection of systems without that file deployed
to them. You can accomplish this by creating a custom query that uses a
subselect to exclude the members of another query.
Exclusion
collections are useful in situations where you want software to deploy
to a large number of systems but have specific systems you want to
exclude. An example of where this applies is with validated systems. A validated system
is one that has a strict process to validate system functionality any
time software is installed on it. Typically, these types of systems are
patched less frequently, with larger number of patches occurring at the
same time to minimize the time required to execute the validation
process.
To create an exclusion
collection, the first thing to do is identify the collection you want
to exclude. Navigate to Collection IDs in the Configuration Manager
console by going to System Center Configuration Manager -> Site
Database -> Computer Management -> Collections. In this case,
Validated Systems is the collection you want to exclude, and it has a
Collection ID of CEN0000E, as displayed in Figure 21.
The
goal is to create a collection based on the Forefront Client Deployment
collection that does not include the members of the Validated Systems
collection. As you see in Figure 22,
there are currently 11 systems meeting the criteria defined earlier for
the original Forefront Client Deployment collection.
In contrast to the Forefront Client Deployment collection, the Validated Systems collection displayed in Figure 23 is a static collection with Buda and Thalia as members .
There
now are two collections: One contains 11 members (including Buda and
Thalia) and the second contains only two members (Buda and Thalia). You
can modify the query that defines the Forefront Client Deployment
collection to tell the first collection to exclude members of the
second collection. Add the following code to the original query:
and SMS_R_System.ResourceID not in (Select ResourceID from
SMS_FullCollectionMembership where CollectionID="<collection ID>")
The query restricts this particular collection to the collection ID CEN0000E. The complete query will look like Figure 24.
By
editing the WMI Query Language (WQL) code directly, you can create
additional criteria to limit the collection. Here, System Resource –
ResourceID (SMS_R_System.ResourceID) is added to the criteria list as a
subselect type, and “not in” is used as the operator.
You can use the same concept to exclude multiple collections. Simply specify multiple collections to exclude, such as:
and SMS_R_System.ResourceID not in (Select ResourceID from
SMS_FullCollectionMembership where CollectionID="<collection ID>",
"<collection ID 2>", ...)
You can also add this directly via the user interface (UI) through the Criterion Properties, shown in Figure 25, which shows the original collection criterion changed to remove the members of the CEN0000E collection.
Tip: Benefits of Using Two Collections
You
may find it useful to have both a “not in” collection and a collection
defined as “which ones are missing from the other collection.” This
technique allows you to define a very complicated collection for the
actual membership; then the second collection is just a comparison
between (as an example) all systems and the “not in” collection.
To
illustrate how this can work, consider a case using antivirus systems.
Here, you may want one collection that has all systems that have McAfee
and another collection that has all systems that do not have McAfee.
One is used to get an action (perhaps to update a date file) and the
other is set with another action (deploy the McAfee software).
You
can also easily create a collection that excludes members from one
collection and from a second collection, such as a “servers without
antivirus” collection, which is a collection containing any server
without McAfee or Norton or Forefront, and so on.
The
original Forefront Client Deployment collection had 11 resources, and
the Validated Systems has two resources that overlap between the two
collections. By excluding those resources in the second collection, the
expectation is the new collection will only have nine resources and not
contain the resources from the Validated Systems collection (Buda and
Thalia). The contents of the new Forefront Client Deployment
collection, displayed in Figure 26, confirm that the collection does not include the members of the Validated Systems collection.
3.4 Collection Flexibility
These include collections with static members, dynamic memberships,
subcollections, and exclusion collections. Each of these demonstrates
the flexibility of the ConfigMgr collection functionality, which really
comes down to the powerful ability to target exactly what you need to
target with your collections.
If
you want to see the power and flexibility of Configuration Manager
2007, a great way to do so is to simply right-click a collection. The
resulting list is staggering at first glance. As you would expect with
a right-click, you can see the properties of the collection, delete the
collection, get help, refresh the contents, and customize the view that
you are seeing. However, with a simple right-click, you can also show
the count of how many systems are in the collection, update the
membership of the collection, install the ConfigMgr client to the
systems in the collection, and modify the settings of the collection or
export the objects in the collection. You can create a new collection
or a new link to a collection, delete the resource in the collection,
and distribute software to the collection.
Although
that sounds like a long list, it is just the beginning! How about
transferring site settings or clearing the last PXE advertisement,
advertising a task sequence, assigning a baseline configuration, or
performing Out of Band Management on the systems in the collection. The
point here is that collections are extremely powerful and extremely
flexible, and they are a key piece of how you can configure
Configuration Manager to perform very complex and granular forms of
targeting.
