get collections

Overview

Discover and analyze device and user collections. Collections are fundamental to SCCM operations and reveal organizational structure, deployment targets, and administrative groupings.

Syntax

SharpSCCM get collections [options]

Parameters

sms-provider

string

The IP address, FQDN, or NetBIOS name of the SMS Provider to connect to

site-code

string

The three-character site code (e.g., “PS1”)

name

string

Filter collections by name pattern (supports partial matching)

collection-id

string

Filter by specific collection ID (e.g., “PS100001”)

properties

string

Specify properties to retrieve (can be used multiple times)

where-condition

string

Custom WQL WHERE clause for advanced filtering

count

boolean

Return count of results only

verbose

boolean

Display all collection properties

Examples

# List all collections
SharpSCCM get collections -sms SCCM01.corp.local -sc PS1

# Count total collections
SharpSCCM get collections -c -sms SCCM01.corp.local -sc PS1

Key Properties

Property	Description	Values
`Name`	Collection display name	User-defined
`CollectionID`	Unique identifier	PS100001, SMS00001, etc.
`CollectionType`	Collection type	1 (User), 2 (Device)
`MemberCount`	Number of members	Numeric
`IsBuiltIn`	Microsoft default collection	True/False
`LimitToCollectionID`	Parent collection	Collection ID
`LimitToCollectionName`	Parent collection name	Collection name
`Comment`	Collection description	User-defined

Required Permissions

SMS Admins local group membership on the SMS Provider server

Collection Types

Device Collections (Type 2)

Purpose: Group devices for management operationsCommon Examples:

All Systems (SMS00001)
All Workstations
All Servers
Domain Controllers
Administrative Workstations

Use Cases:

Application deployment targets
Operating system deployment
Configuration baseline assignment
Software update deployment

User Collections (Type 1)

Purpose: Group users for policy and application deploymentCommon Examples:

All Users (SMS00002)
Domain Administrators
IT Staff
Department-specific groups

Use Cases:

User-targeted application deployment
User policy assignment
User group management

Strategic Collections

High-Value Targets

Administrative Collections:

# Find admin-related collections
SharpSCCM get collections -n "admin" -sms SCCM01.corp.local -sc PS1
SharpSCCM get collections -n "server" -sms SCCM01.corp.local -sc PS1
SharpSCCM get collections -n "IT" -sms SCCM01.corp.local -sc PS1

Infrastructure Collections:

# Critical infrastructure groups
SharpSCCM get collections -n "DC" -sms SCCM01.corp.local -sc PS1
SharpSCCM get collections -n "SQL" -sms SCCM01.corp.local -sc PS1
SharpSCCM get collections -n "Exchange" -sms SCCM01.corp.local -sc PS1

Built-in vs Custom

Built-in Collections (IsBuiltIn = True):

Created by Microsoft
Standard SCCM functionality
SMS00001 (All Systems), SMS00002 (All Users), etc.

Custom Collections (IsBuiltIn = False):

Created by administrators
Organization-specific groupings
Higher intelligence value for attackers

Collection Intelligence

Organizational Structure

Collections reveal:

Departmental organization (HR, Finance, IT collections)
Geographic distribution (Site-based collections)
Administrative boundaries (Admin, standard user groups)
Asset categorization (Workstation, server, mobile device types)

Deployment Patterns

Collection analysis shows:

Application deployment targets (which groups get which software)
Update deployment strategies (pilot groups, production rollout)
Security policy application (compliance baselines)
Operating system deployment (imaging targets)

Attack Planning

Target Identification

Use collections to identify:

High-value systems (admin workstations, servers)
Privilege escalation paths (admin user groups)
Lateral movement opportunities (connected systems)
Deployment targets (for malicious applications)

Collection Manipulation

Potential attack vectors:

Add devices to high-privilege collections
Create malicious collections for deployment
Modify collection membership rules
Target specific user/device groups

Common Queries

CollectionType = 2

Output Analysis

Naming Conventions

Collection names often reveal:

Purpose: “Pilot Group”, “Production Servers”
Department: “HR Workstations”, “Finance Users”
Location: “Building A”, “Remote Users”
Function: “SQL Servers”, “Web Servers”

Member Count Analysis

Large collections (100+): Broad deployment targets
Medium collections (10-100): Departmental groups
Small collections (1-10): Specialized or test groups
Empty collections (0): Unused or test collections

get collection-members - List members of specific collections
get devices - Enumerate managed devices
get users - Enumerate user accounts
get deployments - Analyze collection-targeted deployments

Getting Started

Information Gathering

Credential Extraction

Lateral Movement

Local Operations

Infrastructure Management

Advanced Operations

Overview

Syntax

Parameters

Examples

Key Properties

Required Permissions

Collection Types

Strategic Collections

Collection Intelligence

Attack Planning

Common Queries

Output Analysis

Getting Started

Information Gathering

Credential Extraction

Lateral Movement

Local Operations

Infrastructure Management

Advanced Operations

​Overview

​Syntax

​Parameters

​Examples

​Key Properties

​Required Permissions

​Collection Types

​Strategic Collections

​Collection Intelligence

​Attack Planning

​Common Queries

​Output Analysis

​Related Commands

Overview

Syntax

Parameters

Examples

Key Properties

Required Permissions

Collection Types

Strategic Collections

Collection Intelligence

Attack Planning

Common Queries

Output Analysis

Related Commands