locked
AD Group Discovery changes RRS feed

  • Question

  • I'd like to know the OU of all my existing devices.  I'd also like to know the security groups all my devices are members of, but that's secondary.

    I would like to know this information without adding any new devices to SCCM. 

    Is it not possible to do collect this information for existing devices without adding in any new devices?  When I discover my "Workstations" OU were all the computers are - devices are created for every device in that OU and sub OUs - which I thought device discovery was for. No way to discover OUs and group membership of existing devices without adding new? That's a major bummer if true.  I don't feel like that's how discovery worked in 2007.

    Monday, December 17, 2012 5:45 PM

Answers

  • The information you are seeking (AD security group membership and their member OU), is tied back to each device. Therefore, the devices must be in the ConfigMgr database in order to have that information tied back to them. If the devices weren't in ConfigMgr, then there would be nothing to correlate the group membership and OU information back to.

    If this post was helpful, please click the little "Vote as Helpful" button :)

    Trevor Sullivan
    Trevor Sullivan's Tech Room
    Twitter Profile

    Monday, December 17, 2012 6:44 PM
  • I contacted Microsoft for help with this issue.

    They suggested that I create a single AD group and add to it all the clients I want to manage with SCCM.

    Then I need to configure AD System Discovery (not group discovery) to discover just that single group.  There is a check box in the AD System Discovery that says to "discover objects within AD groups" - that needs to be checked.

    In this way, SCCM System Discovery will only discover the systems in that collection, so you can manage what systems will be discovered.  In my case, it isn't really "discovery" - the systems are already in SCCM, just need to collect the OU - and that requires AD System Discovery.

    It is is little confusing because you are using AD System Discovery to discover a AD Group of systems, but this works.

    It could be extended a little farther by advertising an SCCM package that adds the computer to the AD group.  You'd need to make sure "Domain Computers" had change rights on the AD group.  That way clients would add themselves to the AD group and on the next discovery period their OU would be discovered and added to the object. Just like old times.

    • Proposed as answer by Sreenivas C Thursday, April 7, 2016 2:00 AM
    • Marked as answer by ToddMiller Tuesday, July 26, 2016 3:25 PM
    Tuesday, December 18, 2012 11:10 PM

All replies

  • The information you are seeking (AD security group membership and their member OU), is tied back to each device. Therefore, the devices must be in the ConfigMgr database in order to have that information tied back to them. If the devices weren't in ConfigMgr, then there would be nothing to correlate the group membership and OU information back to.

    If this post was helpful, please click the little "Vote as Helpful" button :)

    Trevor Sullivan
    Trevor Sullivan's Tech Room
    Twitter Profile

    Monday, December 17, 2012 6:44 PM
  • Sorry, I didn't explain something right...  The devices I am interested in ARE objects in SCCM database already.  When I said "devices," I meant devices in the  SCCM console.  I would like to collect the OU and group membership for existing SCCM devices without discovering additional devices that are not already discovered.  In 2007, this was called AD System Group Discovery.  It would collect the information I am looking for ONLY for existing devices.

    I don't want SCCM to ever discover new devices in SCCM on its own. My plan is to deploy the SCCM agent outside of SCCM - using GPO, during OSD, or manually.  When a client first checks in to SCCM, then I want to see the client in "Devices" - and not before.  Once the client is in SCCM, I would like for SCCM to start collecting OU/Group membership info about this client from AD.  That used to be done with Active Directory System Group Discovery - which was removed. So I m trying to figure out in SCCM 2012 how to do what that process did in 2007.

    Monday, December 17, 2012 7:05 PM
  • Hmmm. Unfortunately, I think that you are kind of stuck. I can't think of anyway around this using ConfigMgr in the box functionality. Ultimately, is a "bad" thing for this to happen in your environment or just undesirable? 


    Jason | http://blog.configmgrftw.com

    Monday, December 17, 2012 8:28 PM
  • I have loads of collections built from AD groups and OUs.  Because of the way MS has changed this functionality, I would have to have about 25% more computer objects in my DB than I need - all garbage. 

    If one person adds a group in AD under the OU I'm discovering that has "Domain Users" or "Domain Computers", boom I just accidenally added 100,000 objects to the DB unintentionally.  I don't want to do discovery, but I want to have the group memberships of existing devices.  That was a piece of cake in 2007 and I've built a lot of process on it.  Power config collections, app deployments, client settings, security patches, firewall rules - all built on OUs and group memebrships -all impossible in SCCM 2012 unless I want to have 25% garbage in SCCM - because I don't manage those clients.  SCCM isn't the only application that uses AD  -so it is not as if we can change the way AD is organized just to suit SCCM.

    I would consider this a deal breaker for my migration - and one that was basically sprung on me since the function was present in Betas.

    Obviously, I will need to come up with a solution.  Too many of our business process are built on this function. And sticking with 2007 is not really feasable either.  It is just going to add a heavy burden on the migration. 

    Write my own DDR creation routine maybe?  Third party options?

    Monday, December 17, 2012 8:58 PM
  • I don't think there are any third party options anymore.

    You should contact Microsoft through your support channels as they may be able to help you.


    Jason | http://blog.configmgrftw.com

    Monday, December 17, 2012 9:17 PM
  • I contacted Microsoft for help with this issue.

    They suggested that I create a single AD group and add to it all the clients I want to manage with SCCM.

    Then I need to configure AD System Discovery (not group discovery) to discover just that single group.  There is a check box in the AD System Discovery that says to "discover objects within AD groups" - that needs to be checked.

    In this way, SCCM System Discovery will only discover the systems in that collection, so you can manage what systems will be discovered.  In my case, it isn't really "discovery" - the systems are already in SCCM, just need to collect the OU - and that requires AD System Discovery.

    It is is little confusing because you are using AD System Discovery to discover a AD Group of systems, but this works.

    It could be extended a little farther by advertising an SCCM package that adds the computer to the AD group.  You'd need to make sure "Domain Computers" had change rights on the AD group.  That way clients would add themselves to the AD group and on the next discovery period their OU would be discovered and added to the object. Just like old times.

    • Proposed as answer by Sreenivas C Thursday, April 7, 2016 2:00 AM
    • Marked as answer by ToddMiller Tuesday, July 26, 2016 3:25 PM
    Tuesday, December 18, 2012 11:10 PM