locked
Exclude servers from Active Directory System Discovery RRS feed

  • Question

  • We would like to exclude all servers from being discovered by Active Directory System Discovery. Is there any way to achieve this, i. e. with a custom LDAP query? Or does SCCM always detect all systems in the configured OUs? (Moving all servers to a separate OU is not an option.)



    • Edited by svhelden Wednesday, May 29, 2013 5:50 AM
    Wednesday, May 29, 2013 5:16 AM

Answers

  • (Moving all servers to a separate OU is not an option.)

    Since most replies suggested 'moving all servers [or everything except servers] to a separate OU', I consider the answer to my question

    Is there any way to achieve this


    "No, there is no way."

    Thanks anyway. We'll live with the current situation.

    • Marked as answer by svhelden Thursday, February 12, 2015 3:13 PM
    Thursday, February 12, 2015 3:12 PM

All replies

  • Don't include the OU in your discovery process or remove read permissions for the site server system account to the OU.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    Wednesday, May 29, 2013 5:49 AM
  • Sorry - as I said, "moving all servers to a separate OU is NOT an option". Servers are distributed across all OUs and can't be changed.
    Wednesday, May 29, 2013 5:51 AM
  • AFAIK,you can deny the permission to discover computers from specific OU but not few computers from the OU which is being discovered.

    how ever if you want to exclude installing client on the computers using client push method,http://myitforum.com/myitforumwp/2012/02/01/same-as-before-excluding-specific-computers-from-becoming-configmgr-2012-clients/


    Please click on "vote as Helpful" if you feel this post helpful to you.

    Eswar Koneti | Configmgr blog: www.eskonr.com | Linkedin: Eswar Koneti

    Wednesday, May 29, 2013 5:53 AM
  • We would like to exclude all servers from being discovered by Active Directory System Discovery.


    Why? Discovery does not change anything on servers. They will just be objects in the database then.

    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, May 29, 2013 6:18 AM
  • Well, good question ;) ... We don't use SCCM on servers, and the basic reason was excluding them from statistics. Of course we want to prevent accidental client installation, but that can be done in other ways (like mentioned by Eswar).

    Still, we always get tons of "computers without client", low success rates etc. Of course all that can be adjusted, excluding servers from "All Systems" etc., but excluding the servers directly from discovery would be the easiest way. If it can't be done, it can't be done, and we will be able to live with that. I just wanted to know IF it can be done.

    Wednesday, May 29, 2013 6:22 AM
  • Well if you cant have all servers in a specific ou just discover the workstations in the workstation OU?
    Wednesday, May 29, 2013 9:51 AM
  • Nice try ;) ... Obviously if there's no server OU, there's no workstation OU. Under all of the OUs, there are servers, workstations and users.
    Wednesday, May 29, 2013 9:52 AM
  • I wouldnt want to work there! (o:

    Employ an AD designer and sort out your OU Design GPO's must be not working too

    Wednesday, May 29, 2013 9:55 AM
  • Well .. we have OUs per region, then in every regional OU we have one OU per country, and every country has OUs for servers, workstations and users. This makes some sense, since e. g. the French administrator should have access to French servers, workstations and users, but to nothing outside of France.
    Wednesday, May 29, 2013 9:57 AM
  • I would create an OU in each region for Servers/Workstations and users it would make your life easier.

    I cant see why there is a technical reason for having a container for all 3 object types in each region OU

    Wednesday, May 29, 2013 10:00 AM
  • Well, every country has one OU for servers, one OU for workstations and one OU for users. 

    Apart from that, it would not solve my issue above. 

    Wednesday, May 29, 2013 10:02 AM
  • Ok we get there in the end (o;

    Go to your discovery methods and add multiple OU's for each container for the ones you want to discover

    So you add a discovery method for each OU container for workstations

    So you have multiple discovery methods for each workstation ou

    Follow? 




    Wednesday, May 29, 2013 10:12 AM
  • I can follow you, but we would have to add lots of OUs and maintain the list. So yes, this could be a workaround to our issue - but right now I think it would cause more work and issues than coping with the current situation.
    Wednesday, May 29, 2013 10:14 AM
  • Well, good question ;) ... We don't use SCCM on servers, and the basic reason was excluding them from statistics. Of course we want to prevent accidental client installation, but that can be done in other ways (like mentioned by Eswar).

    Still, we always get tons of "computers without client", low success rates etc. Of course all that can be adjusted, excluding servers from "All Systems" etc., but excluding the servers directly from discovery would be the easiest way. If it can't be done, it can't be done, and we will be able to live with that. I just wanted to know IF it can be done.

    Well.If that is the issue with reporting,then you may have to edit the report to avoid servers in displaying in reports ,so will be on right track with results.

    Or while creating collections to exclude certain number of computers or may be more,create a AD sec group and all the computers to it .Create collection to exclude computers which are member of this AD group to aviod accidentals installation...


    Please click on "vote as Helpful" if you feel this post helpful to you.

    Eswar Koneti | Configmgr blog: www.eskonr.com | Linkedin: Eswar Koneti

    • Proposed as answer by Garth JonesMVP Tuesday, February 10, 2015 2:20 PM
    Wednesday, May 29, 2013 10:15 AM
  • Sorry mate Have I missed something?

    I assume your ou design is

    France>Workstations

    Belgium > Workstations

    France>Servers

    Belgium>server

    ???

    Wednesday, May 29, 2013 10:22 AM
  • Sorry mate Have I missed something?


    Yes. See his reply: "Under all of the OUs, there are servers, workstations and users."
    So all objects are located in the same OU if I am not mistaken.

    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, May 29, 2013 10:27 AM
  • Well, every country has one OU for servers, one OU for workstations and one OU for users. 

    Apart from that, it would not solve my issue above. 

    My understanding from above is that he has sub OU's for each device/object type?

    under each geographic location ou



    Wednesday, May 29, 2013 10:28 AM
  • Tony is right on that. We have an OU "Central Europe", under that we have an OU "Switzerland", and under Switzerland we have an OU "Servers", an OU "Desktops", an OU "Laptops" and an OU "Users".

    In some countries, we even have sub-OUs per site, and under each Site we have Servers, Desktops etc. So in total, we have ca. 125 OUs that contain workstations - definitely not worth the maintenance effort.

    Wednesday, May 29, 2013 10:31 AM
  • It would not take you to long too add them discovery methods and once they are in and your ou structure is not changed it would not need to be maintained apart from new sites.

    An hours work (o:

    Wednesday, May 29, 2013 10:34 AM
  • .

    An hours work (o:

    Yes, plus 48 hours in two years, when certain computers are simply not discovered and no one knows why ;)

    As of now, our structure changes quite often. So, I do not want to implement this.

    I understand that there is no other option, so we have to live with the current situation.

    Wednesday, May 29, 2013 10:36 AM
  • Though ... wait. Isn't there an option to query for OUs? So that we would query for OUs called 'Laptops' and automatically discover all those?
    Wednesday, May 29, 2013 10:37 AM
  • If all the computers accounts are in the discovered OU's it will discover them if they arent discovered they are in the wrong OU or the discovery OU isnt set.

    I would prefer that than discovering loads of objects which is not required to be under management.

    So the process for a new site would be set up 1 new discovery method for each workstation and users OU.

    any future OU changes of the discovered OU's need to be reflected in SCCM.

    So the above will resolve non wanted discovered objects....


    Wednesday, May 29, 2013 10:44 AM
  • Aside from not discovering the OUs there isnt an option.

    You either discover the whole domain including servers, which would mean only one entry in your Active Directory System Discovery section in ConfigMgr, but lots of unused entries in the DB for servers with no client.

    Or you add each Workstation OU into your Active Directory System Discovery section in ConfigMgr, which would only discover workstations. This is the standard way of doing things.

    Surely there must be a change process? So when adding a Workstation OU, the SCCM Admin would need to add an entry to discover it!

    Keep things simple! It makes it so much easier to manage.

    Wednesday, May 29, 2013 10:45 AM
  • Or if you really cant be bothered with the above create a group on the top level in a OU called "Workstation_Group" and add all workstations to this group.

    and then tick discover objects in ad groups and it "SHOULD" discover only the workstations in that group but you will have to ensure all newly built machines have that group added.

    I wouldnt do it that way mind!

    Wednesday, May 29, 2013 10:49 AM
  • (Moving all servers to a separate OU is not an option.)

    Since most replies suggested 'moving all servers [or everything except servers] to a separate OU', I consider the answer to my question

    Is there any way to achieve this


    "No, there is no way."

    Thanks anyway. We'll live with the current situation.

    • Marked as answer by svhelden Thursday, February 12, 2015 3:13 PM
    Thursday, February 12, 2015 3:12 PM
  • We are facing the same problem, but only want to include servers. I wish there was a way to easily do this, but the only idea I can come up with is to write a short script that will scan AD once per day, find the computer objects that a server version of Windows OS, add those computer objects to a group (call it "Windows Servers"), and then configure SCCM to perform system discovery only on that group ("CN=Windows Servers,OU=Global Groups,DC=mydomain,DC= local"). It's not pretty, but I think it will get the job done. -Evan
    Thursday, May 19, 2016 7:05 AM