locked
Need to exclude VDI systems from SCCM Site Wide Client Push RRS feed

  • Question

  • In my AD structure there is a parent "Workstations"OU that AD System Discovery is targeting. However, there is a "VDI" OU that holds about 200 VDI systems that SCCM should NOT be managing that is a child OU under the "Workstations" OU. My Manager is NOT wanting to move the VDI OU outside of the parent and he is not really happy at the fact that Microsoft has not addressed this issue and has added some exclude OU section within AD System Discovery.

    Anyway, the reason I am asking this is because I want to enable Automatic Site Wide Client Push and I don't want the SCCM client installed on any of the VDI systems. I know that if there is no SCCM Client Push account in the local admins group on these systems, then the client will not install, but there will be alot of logged errors, which I am fine with.

    Is there another method I can use that will ensure that the VDI systems will not be seen by SCCM at all besides removing the SCCM Client Push accounts from the local admins groups on VDI systems?

    I was thinking maybe to deny the SCCM Site Server rights to the VDI OU and all of its child objects. 

    Will this work as well better than removing the SCCM Client Push accounts from local admins and not create all the chatter in the logs?

    Thanks

    Saturday, January 23, 2016 8:23 PM

Answers

  • In my AD structure there is a parent "Workstations"OU that AD System Discovery is targeting. However, there is a "VDI" OU that holds about 200 VDI systems that SCCM should NOT be managing that is a child OU under the "Workstations" OU. My Manager is NOT wanting to move the VDI OU outside of the parent and he is not really happy at the fact that Microsoft has not addressed this issue and has added some exclude OU section within AD System Discovery.

    Have you looked at the recursion option? If you don't enable recursion, that might suit your scenario.

    https://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_DiscMethods

    For each location instance that you specify, you can configure individual search options such as enabling a recursive search of the locations Active Directory child containers.

    We have a Workstations OU, and quite a few child OUs off that parent OU, including one named VDI. We set the discovery location at each child OU, rather than at the parent OU, because we don't want the VDI objects to be discovered nor managed by ConfigMgr.
    We actually made the OU structure decision for reasons relating to Group Policy inheritance.
    Yes, it would be "easier" if the VDI OU wasn't a child OU of Workstations, then we could have simply pointed discovery at the parent OU and enabled recursion, but we didn't, so we don't.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, January 23, 2016 8:42 PM
  • Thanks Don. 

    Okay, so I will have to go ahead and select each child OU then that I want managed by SCCM and exclude the VDI OU altogether, more work, but oh well. 

    Don, when I target each OU that I want SCCM to manage, can I select the "Recursively search Active Directory for child containers" option and it will just perform the recursive search just for that OU? 

    I am under the impression it performs that recursive search for each specific OU that I specify and does not perform a general recursive search throughout AD. 

    The reason I am asking is because of the way it is worded. It almost sounds like it will search outside of the OU that you target because of the "...search Active Directory for child containers" label. 

    For instance, here is the structure I have:

    Workstations Parent OU

    • Remote Site Workstations Child OU 1
    • Remote Site Workstations Child OU 2 
    • Remote Site Workstations Child OU 3
    • VDI Child OU 

    So instead of targeting the Workstations Parent OU and setting that to search recursively, which will invade the VDI OU, I would target the first 3 Remote Site Workstation Child OUs individually and ensure that the "Recursively search Active Directory for child containers" option is enabled for them, right?

    The recursive search will not somehow spill over into the "VDI Child OU", correct?


    Yes, that's what we do. Yes, it's slightly less convenient, instead of adding a single discovery "location", you need to add three of them.

    The recursive bit, essentially means "from the connection point I nominate, recurse from this point down through any sub-OUs", but it doesn't step across to any peer point to the nominated connection point.

    In your example, if there are no sub/child OUs of these, there is no purpose in enabling recursion;

    • Remote Site Workstations Child OU 1
    • Remote Site Workstations Child OU 2
    • Remote Site Workstations Child OU 3

    [I'm not convinced that recursive/recursion is the best word to completely describe this concept/principle, but it is the word used by MSFT for this feature/behaviour]


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Sunday, January 24, 2016 3:59 AM
    • Marked as answer by I AM Sir Ask Alot Monday, January 25, 2016 4:19 AM
    Sunday, January 24, 2016 3:52 AM

All replies

  • In my AD structure there is a parent "Workstations"OU that AD System Discovery is targeting. However, there is a "VDI" OU that holds about 200 VDI systems that SCCM should NOT be managing that is a child OU under the "Workstations" OU. My Manager is NOT wanting to move the VDI OU outside of the parent and he is not really happy at the fact that Microsoft has not addressed this issue and has added some exclude OU section within AD System Discovery.

    Have you looked at the recursion option? If you don't enable recursion, that might suit your scenario.

    https://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_DiscMethods

    For each location instance that you specify, you can configure individual search options such as enabling a recursive search of the locations Active Directory child containers.

    We have a Workstations OU, and quite a few child OUs off that parent OU, including one named VDI. We set the discovery location at each child OU, rather than at the parent OU, because we don't want the VDI objects to be discovered nor managed by ConfigMgr.
    We actually made the OU structure decision for reasons relating to Group Policy inheritance.
    Yes, it would be "easier" if the VDI OU wasn't a child OU of Workstations, then we could have simply pointed discovery at the parent OU and enabled recursion, but we didn't, so we don't.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, January 23, 2016 8:42 PM
  • Thanks Don. 

    Okay, so I will have to go ahead and select each child OU then that I want managed by SCCM and exclude the VDI OU altogether, more work, but oh well. 

    Don, when I target each OU that I want SCCM to manage, can I select the "Recursively search Active Directory for child containers" option and it will just perform the recursive search just for that OU? 

    I am under the impression it performs that recursive search for each specific OU that I specify and does not perform a general recursive search throughout AD. 

    The reason I am asking is because of the way it is worded. It almost sounds like it will search outside of the OU that you target because of the "...search Active Directory for child containers" label. 

    For instance, here is the structure I have:

    Workstations Parent OU

    • Remote Site Workstations Child OU 1
    • Remote Site Workstations Child OU 2 
    • Remote Site Workstations Child OU 3
    • VDI Child OU 

    So instead of targeting the Workstations Parent OU and setting that to search recursively, which will invade the VDI OU, I would target the first 3 Remote Site Workstation Child OUs individually and ensure that the "Recursively search Active Directory for child containers" option is enabled for them, right?

    The recursive search will not somehow spill over into the "VDI Child OU", correct?

    Thanks






    Saturday, January 23, 2016 9:31 PM
  • Thanks Don. 

    Okay, so I will have to go ahead and select each child OU then that I want managed by SCCM and exclude the VDI OU altogether, more work, but oh well. 

    Don, when I target each OU that I want SCCM to manage, can I select the "Recursively search Active Directory for child containers" option and it will just perform the recursive search just for that OU? 

    I am under the impression it performs that recursive search for each specific OU that I specify and does not perform a general recursive search throughout AD. 

    The reason I am asking is because of the way it is worded. It almost sounds like it will search outside of the OU that you target because of the "...search Active Directory for child containers" label. 

    For instance, here is the structure I have:

    Workstations Parent OU

    • Remote Site Workstations Child OU 1
    • Remote Site Workstations Child OU 2 
    • Remote Site Workstations Child OU 3
    • VDI Child OU 

    So instead of targeting the Workstations Parent OU and setting that to search recursively, which will invade the VDI OU, I would target the first 3 Remote Site Workstation Child OUs individually and ensure that the "Recursively search Active Directory for child containers" option is enabled for them, right?

    The recursive search will not somehow spill over into the "VDI Child OU", correct?


    Yes, that's what we do. Yes, it's slightly less convenient, instead of adding a single discovery "location", you need to add three of them.

    The recursive bit, essentially means "from the connection point I nominate, recurse from this point down through any sub-OUs", but it doesn't step across to any peer point to the nominated connection point.

    In your example, if there are no sub/child OUs of these, there is no purpose in enabling recursion;

    • Remote Site Workstations Child OU 1
    • Remote Site Workstations Child OU 2
    • Remote Site Workstations Child OU 3

    [I'm not convinced that recursive/recursion is the best word to completely describe this concept/principle, but it is the word used by MSFT for this feature/behaviour]


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Sunday, January 24, 2016 3:59 AM
    • Marked as answer by I AM Sir Ask Alot Monday, January 25, 2016 4:19 AM
    Sunday, January 24, 2016 3:52 AM
  • GREAT!!

    Thanks for you help, Don. 

    I really really appreciate it. 

    Monday, January 25, 2016 4:19 AM