Add option to exclude containers/OUs from Group Discovery
Here’s the problem. Systems exist in the Domain Computers group and other groups, so any recursive discovery of groups for the domain will put the partial system discovery back in the system.
Starting in version 1806, select subcontainers (and/or OUs?) to exclude from this recursive search. This option helps to reduce the number of discovered objects. Select Add to choose the containers under the above path. In the Select New Container dialog box, select a child container to exclude. Select OK to close the Select New Container dialog box.
The list of Active Directory containers in the Active Directory System Discovery Properties window includes a column Has Exclusions. When you select containers to exclude, this value is Yes.
INFO: discovered object with ADsPath = 'LDAP://DC.EMSLAB.LOCAL/CN=AZUREADSSOACC,OU=Do Not Discover,DC=emslab,DC=local' SMSADSYSTEMDISCOVERYAGENT 10/10/2018 6:09:56 AM 20196 (0x4EE4)
WARN: Discovered object is in excluded AD container. Skip. SMSADSYSTEMDISCOVERYAGENT 10/10/2018 6:09:56 AM 20196 (0x4EE4)
INFO: Processing discovered group object with ADsPath = 'LDAP://DC.EMSLAB.LOCAL/CN=Domain Computers,CN=Users,DC=emslab,DC=local' SMSADSECURITYGROUPDISCOVERYAGENT 10/10/2018 6:14:00 AM 6756 (0x1A64)
INFO: DDR was written for group 'EMSLAB\Domain Computers' - C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asgx21yd.DDR at 10/10/2018 6:13:57. SMSADSECURITYGROUPDISCOVERYAGENT 10/10/2018 6:14:00 AM 6756 (0x1A64)
INFO: DDR was written for system 'AZUREADSSOACC' - C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\adh4b27e.DDR at 10/10/2018 6:13:57. SMSADSECURITYGROUPDISCOVERY_AGENT 10/10/2018 6:14:00 AM 6756 (0x1A64)
Net result is nothing is cleaned up in SCCM and defeats the intention of the exclusion.