AD Group discovery discovering group members
AD Group discovery automatically discovers all computers and users that are members of the group (and nested groups). Sometimes it is not desired, as we choose what computers/users we want to discover via AD System/User Discovery. AD Group discovery should update group membership information for existing resources in the site. Or, ideally, provide an option to choose if we want to also discover group members, or not.
This is a BIG issue if one needs to exclude VDI and/or Vpro accounts in AD.
I leverage AD Security Groups and cannot turn off Group Disc.
What use is it to exclude an OU in Sys Disc only to have it overridden with Grp Disc?
One example: Vpro is especially problematic as the account name is the same where the pre-Win2K name is suffixed with iME. Grp Disc pulls in the iME account, which has no AD Security Group memberships.
I use SCCM for Servers
When i try to discover groups with Devices in it it only adds the Group and then i have to create a Device Collection with a Query rule, while i can add the Group to a User Collection directly.
This could be solved better.
Found it on https://computergarage.org/sccm-device-collection-ad-security-group-membership.html
Sherry Kissinger commented
This issue has hit us a few times--sadly, we have a CAS environment; so having this is occasionally causing us Degraded Replication. All we really want is the Group and GroupSID discovered (re-discovered); not the members inside it. We've recently opened a case for our replication issue, where this was the primary cause of the degradation. Hopefully we can get this voted up!
This won't work for everyone, but if your specific issue is discovery of a single Group, where that single group in Active Directory contains only users (not machines), this is a possible cheating workaround to reduce the DDR backlogs which 'might' happen .
Please FIX - in 1906 we cannot leverage Group Discovery effectively because it pulls in 20,000+ AD records not managed by the site.
Additionally, "ignore machines that haven't checked in within 14 days" (for example) still pulls in all the unwanted records, despite not being turned on within that window, because of group membership.
3 votes given here
Cannot agree more with this, we have a process to manually import machines so that they are automatically named correctly and added to the correct AD groups. We don't have system discovery enabled and yet computer objects are created through group discovery - leading to duplicate objects and confusion for our support staff who need to image and manage the machines. Very annoying that we can't disable this as it's just system discovery by the back door!
This functionnality was ok with realase before. We are in a degraded mode......
Why is this still not changed? Its annoying having a lot of objects being imported into SCCM that we do not want there, just because they are in a group being discovered by SCCM.
Group discovery should discover groups, not add devices to SCCM just because they happen to be in that group.
Paul Zillman commented
I have run out of votes to cast. +1