We prefer to deploy software based on AD security groups. Ideally, we put a machine into a security group, then within a few hours LDMS installs the software associated with that group. But I can't figure out exactly what mechanism tells a client, and thus the core server, what security groups a system is in, or when that mechanism runs. I put a machine in a security group, did a hardware inventory, a hardware-and-software inventory, a Full Sync inventory, ran gpupdate /force on the system and ran all three different inventories, rebooted and did the inventories, then even did a vulscan (though I don't think there's any connection there). The system would not recognize the new membership in that security group until sometime last night. I'd like to know how a system recognizes the new membership so I can "nudge" a given system to help it install software faster. I would think this is in the User Guide somewhere, but I've looked and looked and haven't found it anywhere.