This is a fairly common request but goes against the idea of Microsoft Endpoint Configuration Manager (MECM / SCCM / MEMCM/ConfigMgr). You should either target a user or a computer. But not the computers of a Users. I know the first thing you will say is but software is installed on a computer NOT a user. This is completely true! In this article we will take about the pros and cons of this and give you the WQL query needed to Users’ Department Collection.
But if I want to target all users within the IT Department with application such as Recast Endpoint Insights. Does it make sense to target there computers of all users within IT department or the users themselves within the IT department. Before you answer that understand the way ConfigMgr works.
If I target the users then they will receive the software as soon as they logon to the computer. Ok a few minutes after they logon but you get the idea, even fast if it is a AD security group but that is another story for another day! To be a fair comparison to the computer details, Let us assume the worse case. The worse case is a bit harder to define for a user as it will complete depend on EXACTLY how you are creating your collection rules. If you do it the absolutely worst possible way (which I don’t think that I have ever seen anyone do before) You are looking at similar results as a computer. Realistically, there are to methods that people will use, add the user directly to a collection as a direct membership or add the user an AD security group, which is already a member of a collection. This last method is the FASTEST way possible to deploy software to a user! (There is some question if CM team broke this for a computer, it is on my list of thing to retest AD sec group for a computer.) In either “real world” cases you are looking at 1-2 hours if you use either method.
Now if I target an computer of a user using the default setting within SCCM and assuming absolute worse case. I need to wait for the user to logon. Then wait for the user details for be returned to SCCM. Using the defaults setting for heartbeat discovery, this can take 7 days! I then have to wait for the collection to updated, again this can take 7 more days! Finally I have to wait one maybe two more hours for the computer to see the policies and take an action.
So are you willing to wait 14+ days just to target a computer for users within a department?
The counter argument to this is always going to be but what is the user logon to a second computer? The answers will be “it depends”. It depends on how you setup the deployment. There is a long discussion we can have about setting up deployment and software auditing. For some of that discussion see my blog at my day job. https://www.recastsoftware.com/resources/how-to-perform-a-basic-software-audit-2/
Users’ Department Collection WQL
Let assume that you do target the computer using the WQL query below. How reliable will it be? Well… considering that if no one is logon when the Heartbeat discovery is run, the results will be null and therefore when the collection is updated the computer will fall out of the collection and whole process starts again.
I’m not here to stop you from doing things. I just want you to be informed.
Select SMS_R_System.* from SMS_R_System inner join SMS_R_User on SMS_R_System.LastLogonUserName = SMS_R_User.UserName Where SMS_R_User.department = "IT"