locked
AD System Discovery - which account? RRS feed

  • Question

  • Quick simple question that I can't seem to find the answer too!

    Which account does SCCM 2007 use when running an AD System Discovery?

    I want to deny access on certain AD OUs, so that these systems are not discovered and added to SCCM. I'd rather do it this way than including all the other OUs in the System Discovery properties.

    Tuesday, July 2, 2013 2:36 PM

Answers

  • Note that denying permission in AD will not work to prevent AD System Discovery from discovery a system within an OU because (from http://technet.microsoft.com/en-us/library/cc736316%28WS.10%29.aspx):

    "Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. "

    And by default, all objects in AD have explicit read permissions for Authenticated Users which will include the site server's account so this will not work unless you explicitly deny permissions on all of the objects.


    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Sabrina Shen Wednesday, July 3, 2013 8:46 AM
    • Marked as answer by Hackmuss Wednesday, July 3, 2013 8:48 AM
    Tuesday, July 2, 2013 5:11 PM

All replies

  • Hi,

    It uses the Primary site servers computer account, so that is the account you should grant permissions.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Tuesday, July 2, 2013 4:17 PM
  • Note that denying permission in AD will not work to prevent AD System Discovery from discovery a system within an OU because (from http://technet.microsoft.com/en-us/library/cc736316%28WS.10%29.aspx):

    "Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. "

    And by default, all objects in AD have explicit read permissions for Authenticated Users which will include the site server's account so this will not work unless you explicitly deny permissions on all of the objects.


    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Sabrina Shen Wednesday, July 3, 2013 8:46 AM
    • Marked as answer by Hackmuss Wednesday, July 3, 2013 8:48 AM
    Tuesday, July 2, 2013 5:11 PM
  • Thanks Jason, that explains why it's not working..... ;-)

    Oh well, back to the drawing board...

    Wednesday, July 3, 2013 8:48 AM