locked
How to exclude specific PCs or Organization Unit from discovery and All system collection? RRS feed

  • Question

  • We want to exclude some PCs from discovery and All System collection.

    1. We want to exclude with out modfing query of All System collection and without modifiing registry.

    2. We want to exclude with Organization unit container.

    We have also tested Include and exclude option which is avaible in system discovery (Discovery method)  but it is not working as per expected.

     

    Please help us.

    Thursday, April 24, 2014 4:57 AM

Answers

  • Jason messaged me offline and said that the method of denying read access does not always work. I was thinking that I had done that back in 2003 but have not tested it in the past 10 years or so. It would be easy to test though if you want to give it a try.

    Just browse to the OU on ADUC, right click, properties, security tab. Click Add, change the object type to computers, enter the same of the server that performs discovery, click ok, click deny on all boxes and click OK.

    Actually I just did it to write the instructions above. When I see in my adsysdis.log clearly indicates to me that, in my environment, this works.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Thursday, May 1, 2014 12:43 PM

All replies

  • Just deny read access to that OU from the site server that runs discovery

    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Thursday, April 24, 2014 12:53 PM
  • Just to follow up on this, setting perms on the OU does not work because explicit allows take precedence over inherited denies. You could set explicit denies on the actual computer objects (I think this should work) or you can move the computer objects to a specific OU and not include that in the list of OUs to include in discovery.

    There are other possible ways to approach this using group membership but they are all inclusive ways meaning that you must specifically "include" objects just like you must specifically "include" OUs in discovery.


    Jason | http://blog.configmgrftw.com

    Thursday, April 24, 2014 4:59 PM
  • John thank you. Is it possible to provide steps how to deny read access to that OU from, site server that runs discovery?
    Wednesday, April 30, 2014 4:07 AM
  • Jason thank you. how to set explicit denies on computer object?
    Wednesday, April 30, 2014 4:10 AM
  • Jason messaged me offline and said that the method of denying read access does not always work. I was thinking that I had done that back in 2003 but have not tested it in the past 10 years or so. It would be easy to test though if you want to give it a try.

    Just browse to the OU on ADUC, right click, properties, security tab. Click Add, change the object type to computers, enter the same of the server that performs discovery, click ok, click deny on all boxes and click OK.

    Actually I just did it to write the instructions above. When I see in my adsysdis.log clearly indicates to me that, in my environment, this works.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Thursday, May 1, 2014 12:43 PM