AD System/User discovery on disabled accounts
SCCM is not synchronizing disabled accounts, so it is not synchronizing the change in the UserAccountControl-attribute, so from SCCM perspective every machine/user is active. This creates problems e.g. in Software Asset Management since collections can’t select AD active accounts only. SCCM should synchronize changed attributes or at least UserAccountControl of AD disabled accounts if the account exists in SCCM
Christopher Macnichol commented
Well, this answers the question I have been working on for the last couple hours... Really odd design.
Who designed it like this?
Dorian ESCOTS commented
You may use the 'Delete Aged Discovery Data' site maintenance task to cleanup these records.
Serious SCCM flaw, working around it by pulling information from AD directly is a waste of time. Another big part of the problem is that the disabled users/systems info in SCCM is junk, its just what it used to be before the disable which can be drastically different from reality.
neil Williams commented
Also, in SCCM I have some user accounts that seem to be active (UAC=512) however they are disabled in AD. Because SCCM does not sync disabled accounts it is not marking this account as disabled in the SCCM database. I think this is a fault, not a feature request.