Active Directory Discovery..., or not

As I am working with customers often times there is a discussion about Active Directory discovery (usually systems, sometimes users).  People often do not want to discover EVERYTHING in AD, only a sub-set.  If they already have a specific OU or two to aim at, that’s great and SCCM can do an LDAP query to just those few OUs.  However, if there is a lot of separate OUs this becomes a pain to add plus you may miss out if a new OU is added by the AD folks.

A common example of all this is where a company wants to discover and manage all their workstations, but none of their servers.  Even though discovery of servers doesn’t mean they will be managed, folks do not want to take that chance so they want to limit their discovery so no servers are discovered.  Often times servers are in their own OU while workstations are in many OU.

So the very simple trick here is to simply grant a DENY permission for the SCCM Site server machine account on the OU you do not want discovered and then point SCCM to discover everything in the domain.  This allows discovery of everything in AD except specific OUs.  SCCM uses the machine account context to query AD during discovery and if it has deny permissions on an OU it simply skips over it, finding everything else and including, by default, all new OUs your AD team makes in the future.