none
How to find an old discovery scope record in DB? RRS feed

  • Question

  • I'm basically having this issue:  https://social.technet.microsoft.com/Forums/en-US/ee23a8e9-1d75-4965-883d-5a67011a13b0/remove-security-account?forum=configmanagergeneral

    I'm trying to remove an account from SCCM, but it had been used for an AD group discovery that is evidently no longer there.  I changed the account on all existing discovery scopes, but it still shows up as being used for Active Directory Group Discovery.

    This system has been in place much longer than I've been here, and I've been cleaning up because the domain "administrator" account was used for everything.  (yikes!).  Anyway, I've got everything cleaned up / switched over except for this one thing, and now I'm stuck.  

    Does anyone know of a table in the DB that would reference this?  I assume that's the only way I'm going to track down this old scope.  Would love any help and direction I can get!

    Thanks!

    Wednesday, September 18, 2019 12:57 AM

Answers

  •     

    Hello,

    Thanks for your posting in TechNet.

    The cause of your issue is that the account information still stays in the DB when we remove "Discovery Scopes" using that account from AD Group Discovery. The workaround is that we need recreate these Discovery Scopes with the same name as before,  then change the account to computer account. It should remove the account information then we could delete these Discovery Scopes again and remove the account. But how to find the names of Discovery Scopes if we cannot remember them? Kindly follow the steps below.

    1> Run the following PowerShell scripts on the site server.

    $lists = (Get-WmiObject -Namespace root\sms\site_<sitecode> -Class SMS_SCI_Component -Filter "ItemName = 'SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT|SMS Site Server'").Proplists 
    $lists | Where-Object { $_.values -match "Domain\\user"} | select PropertyListName, Values

    Use your site code and account instead. Note that we should use "Domain\\user" instead of "Domain\user".

    2> Find the name of the discovery scope from the results


    3> Recreate the discovery scope with the same name and specify the account. We could use any Location, it doesn't need to be the same as before.



    4> Click OK, Click Apply.

    5> Then edit this Discovery to change the account to computer account.



    6> Click OK, click Apply.

    7> Then, the account information bound to this scope should has been removed from the DB. Run the above script to verify it.

    8> Repeat steps from 3 to 6, remove all the account records having been used in a Discovery Scope.

    9> Refresh the Accounts in the console, the account should no longer be an AD Group Discovery Agent.

    10> Then we could delete it.

    Also, it is suggested to send a frown in the console to feedback your issue. If it's a bug, product team may fix it in the future release.

    Hope my answer could help you and look forward to your feedback. 

    Best Regards,
    Ray      


    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, September 18, 2019 4:37 AM
  • Hello,
     
    Well, in this case try if find that information in SQL.
     
    Run the following SQL first.
     
    select  
    	SMS_SCI_Component.PropLists
    from 
    	vSMS_SC_Component_SDK AS SMS_SCI_Component  
    where 
    	SMS_SCI_Component.ItemName = 'SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT|SMS Site Server'
     
    Note: This query is only for your issue, it should not be used in general reports. 
    Then open the XML file, and Check property named "AD Accounts: ...", find the scope name which associated with the account.
     
    Hope my answer could help you.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Torpex Thursday, September 19, 2019 4:21 PM
    Thursday, September 19, 2019 11:33 AM

All replies

  •     

    Hello,

    Thanks for your posting in TechNet.

    The cause of your issue is that the account information still stays in the DB when we remove "Discovery Scopes" using that account from AD Group Discovery. The workaround is that we need recreate these Discovery Scopes with the same name as before,  then change the account to computer account. It should remove the account information then we could delete these Discovery Scopes again and remove the account. But how to find the names of Discovery Scopes if we cannot remember them? Kindly follow the steps below.

    1> Run the following PowerShell scripts on the site server.

    $lists = (Get-WmiObject -Namespace root\sms\site_<sitecode> -Class SMS_SCI_Component -Filter "ItemName = 'SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT|SMS Site Server'").Proplists 
    $lists | Where-Object { $_.values -match "Domain\\user"} | select PropertyListName, Values

    Use your site code and account instead. Note that we should use "Domain\\user" instead of "Domain\user".

    2> Find the name of the discovery scope from the results


    3> Recreate the discovery scope with the same name and specify the account. We could use any Location, it doesn't need to be the same as before.



    4> Click OK, Click Apply.

    5> Then edit this Discovery to change the account to computer account.



    6> Click OK, click Apply.

    7> Then, the account information bound to this scope should has been removed from the DB. Run the above script to verify it.

    8> Repeat steps from 3 to 6, remove all the account records having been used in a Discovery Scope.

    9> Refresh the Accounts in the console, the account should no longer be an AD Group Discovery Agent.

    10> Then we could delete it.

    Also, it is suggested to send a frown in the console to feedback your issue. If it's a bug, product team may fix it in the future release.

    Hope my answer could help you and look forward to your feedback. 

    Best Regards,
    Ray      


    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, September 18, 2019 4:37 AM
  • This looks like exactly what I need, but when I try this I get a Provider Load failure error.  

        + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


    Wednesday, September 18, 2019 5:59 PM
  • If I run winmgmt /verifyrepository it shows it is consistent.  I can check Enum Classes with that class and that works, but if I try to Enum Instances I get a provider load failure error.  Some other classes work, some don't.
    Wednesday, September 18, 2019 6:32 PM
  • Hello,
     
    Well, in this case try if find that information in SQL.
     
    Run the following SQL first.
     
    select  
    	SMS_SCI_Component.PropLists
    from 
    	vSMS_SC_Component_SDK AS SMS_SCI_Component  
    where 
    	SMS_SCI_Component.ItemName = 'SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT|SMS Site Server'
     
    Note: This query is only for your issue, it should not be used in general reports. 
    Then open the XML file, and Check property named "AD Accounts: ...", find the scope name which associated with the account.
     
    Hope my answer could help you.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Torpex Thursday, September 19, 2019 4:21 PM
    Thursday, September 19, 2019 11:33 AM
  • Awesome!!  That worked.  Thank you so much!!!
    Thursday, September 19, 2019 4:21 PM