ConfigMgr can publish data into Active Directory. This data is used by ConfigMgr clients to find their site.
Other way around is that with Active Directory discovery, resources and objects in the domain can be discovered by ConfigMgr.
Most of the time this is used to discover systems. In this post I will explain discovery of resources in Active Directory groups and how this can be very useful in deploying applications.

In this example I have a service desk with employees who have access to Active Directory but don’t have access or knowledge about ConfigMgr. I want them to be able to distribute the Microsoft Office 2007 package through Active Directory Groups. (In this example I assume you know your way around deploying packages with ConfigMgr)
The first step to accomplish this is to enable group discovery. You can configure it under Site Database, Site Management, Your Site, Site Settings and Discovery Methods.

ConfigMgr delivers four methods of Active Directory discovery, two are used for group discovery:
Active Directory System Group Discovery
This method works for resources that are already have been discovered and assigned to a site. It extends the information of the discovered resource with data like; Global-, Nested-, Universal Groups and Organisational Unit.
So once again the resource already has to be discovered with one of the other discovery methods. In this example I enabled the System Group Discovery for resources within my entire domain.

Active Directory Security Group Discovery
This method is used to search and discover security groups in Active Directory. You can configure it to search the entire domain or a specific Organisational Unit.

So for ConfigMgr to understand which resource belongs to what group both discovery methods has to be enabled.

In my domain I created an Organisational Unit (OU) named; Application Groups. In this OU I have multiple global groups like the group Microsoft Office 2007. The Active Directory Security Group Discovery is configured to search for groups within this Organisational Unit.

On the polling schedule tab you can configure the timeframe for when this method should run. To force it immediately check the ‘Run discovery as soon as possible’ checkbox.

To verify the results of the discovery check the information in the ‘All User Groups’ collection. This can take a couple of minutes to show up. To force it use the ‘Update Collection Membership’ action and perform a refresh of the collection.

Now the group has been discovered we must integrate it with our Microsoft Office 2007 package and program. To do this we first need to create a collection with a query based membership rule that is querying for resources who are a member of the Active Directory group Microsoft Office 2007.

When your group contains computer / system objects, use the following query for the collection:
select SMS_R_SYSTEM.Name from SMS_R_System where SMS_R_System.SystemGroupName = "yourdomain\\Microsoft Office 2007"

When your group contains user objects, use the following query for the collection:
“select * from sms_r_user where sms_r_user.usergroupname = "yourdomain\\Microsoft Office 2007"

Now the collection is created you can advertise the Microsoft Office 2007 package and program to the collection.

My Active Directory group does not have any members yet so the collection is still empty. When a object is added to the Active Directory group and a Active Directory System Group discovery has run the collection will be filled and Microsoft Office will get deployed to all the members.

To verify that your resource has been extended with the groupmembership information, double click it in the console and in the properties windows check the property ‘System Group Name’.

Good luck!