locked
Systems still showing up in the SCCM console after I delete them from SCCM and AD System Discovery is not targeting their OU RRS feed

  • Question

  • So here is the history of how I initially setup my SCCM 2012 R2 environment when it comes to AD:

    -MyDomain

    --ParentOU

    ---ChildOU1

    ---ChildOU2

    ---ChildOU3

    ----VDI Systems

    ---ChildOU4

    ---ChildOU5

    ---ChildOU6

    When I first built my SCCM site, I simply included the ParentOU in AD System Discovery and set it to search recursively so it could just detect all systems. I did this because Management did not want to enable Auto Site Wide Client Push initially, because we have VDI systems that are located here: "ParentOU/ChildOU3/VDISystems". Because of this VDI Systems OU and where it has been placed in AD, I have been performing manual collection client push deployments for the last year or so. However, now Management wants to start using Auto Site Wide Client Push, because I keep telling them how inefficient these manual push deployments are and that I can simply select individual OUs for Auto Site Wide Client Push and exclude the VDI Systems OU as long as I do not enable a recursive search on ChildOU3. Management wants me to first test out Auto Site Wide Client Push on just a few OUs first before adding all of the OUs to ensure it does what is expected. I decided to use the following OUs for the test (underlined): ChildOU1, ChildOU2, and ChildOU5

    So I performed the following steps to test out Auto Site Wide Client Push:

    1. Deleted all systems that did not have the SCCM client installed to ensure that Auto Site Wide Client Push would not install the client on non-managed SCCM systems
    2. I removed the ParentOU LDAP path from AD System Discovery and I added the LDAP paths for ChildOU1, ChildOU2, and ChildOU5 and I set a recursive search for all three of them
    3. I then ran a Full AD System Discovery scan to monitor the process and I found that for some reason some systems in ChildOU3, ChildOU4, and ChildOU6 were also being detected and added to SCCM. 

    Note: I did NOT delete all systems that were NOT in ChildOU1, ChildOU2, and ChildOU5, because many of them already had the SCCM client installed due to my prior configuration and so I decided there was no reason to delete them from the database. 

    Can anyone help me understand why systems that are not being targeted in AD System Discovery are still being detected by SCCM?

    And as always, thank you all very much for you help and support. 





    Friday, February 5, 2016 7:01 PM

Answers

  • Could it be that those systems are discovered by the Active Directory Group Discovery? In other words, does it discover security and/or distribution groups that include those devices.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Friday, February 5, 2016 7:11 PM
  • Check the properties on the resources being rediscovered. The Agent field you tell you exactly what recreated the resource (which is probably the Group discovery as better indicated above).

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, February 5, 2016 8:03 PM

All replies

  • Could it be that those systems are discovered by the Active Directory Group Discovery? In other words, does it discover security and/or distribution groups that include those devices.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Friday, February 5, 2016 7:11 PM
  • Check the properties on the resources being rediscovered. The Agent field you tell you exactly what recreated the resource (which is probably the Group discovery as better indicated above).

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, February 5, 2016 8:03 PM
  • DAMN you guys are AWESOME!!

    Thanks, it does appear to be the "SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT" from what the Agent Name shows in one of the object's properties. 

    I CANNOT believe this, but this AD guy has thrown user/group accounts all under the ParentOU as well. 

    Looks like I got more mouse clicks to do - WHY ME!!?

    I will work on automating this eventually with PowerShell. 

    Note to self, push for AD restructuring prior to any SCCM deployment. 

    Thanks guys, I LOVE YOU man - LOL.


    Friday, February 5, 2016 9:38 PM