Why are old AD records still being discovered

Sometimes SCCM can be sneaky.  For those that have been using Configuration Manager for a while now there are stories about surprises of one kind or another.  I hit upon one of those recently.  In my current role I'm in charge of client health and the issue brought to me was a large amount of discovered machines which, on investigation, didn't truly exist.  The records were for machines that existed in AD but had gone offline..., they no longer existed and were not longer connected to the network.  Our AD system discovery has settings to deal with dirty AD problems and filter our records older than DD days when doing the system discovery.  The first check was to look at that and confirm it was set and functioning correctly, which it was.

The catch was in GROUP discovery.  Many folks don't realize this but Active Directory Group Discovery will make simple DDR for the members of the groups it finds.  Here is the blurb from TechNet (https://technet.microsoft.com/en-us/library/gg712308.aspx\#BKMK\_ADGroupDisc)

Limited information about a groups member computers and users, even when those computers and users have not previously been discovered by another discovery method

Group discovery has the same AD filters on it as system discovery, but those had not been checked to turn on.  Once checked... those old ConfigMgr records started cleaning out. :-)