SCCM 2012 – Group Discovery

SCCM 2012 – Group Discovery

Hi All,

Have you ever wondered what the group discovery does? Well…it is easy, it discover Groups, isn’t it?

Well, many people, including myself, had this impression, as on CM07 it only discovered extra information regarding existing resources.

let me give you a bit of history about this…few days ago a client of mine called in asking me why their CM database was always full of “non-wanted” computer records if they have the system discovery disabled.

While troubleshooting, i saw the below information on 1 of the “non-wanted” resources:

Well..this was a bit odd for me, and looking at the documentation ( i could see this:
Use Configuration Manager Active Directory Group Discovery to search Active Directory Domain Services (AD DS) to identify the group memberships of computers and users.

and why it is discovering computers? i went to the Group discovery properties and they were using the Location type and searching for the whole domain (not a best practice anyway…). i continued looking at the documentation and saw this:
This discovery method searches a discovery scope that you configure, and then identifies the group memberships of resources in that discovery scope. By default, only security groups are discovered. However, you can discover the membership of distribution groups when you select the checkbox for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box.

Back to the discovery properties, i looked at the options tab and did no see that checkbox enabled, but i saw the other 2 checkbox enabled and tough that i needed to disable it…and after deleting all non-wanted resources, i forced the full sync and for my surprise, all records were added again…

Spoke with my fellow MVP’s about this behaviour and Vladimir Zelenov gave me a bit of help saying: Limited information about members will be discovered. So it will create computer objects too.

i was shocked, and looking back at the documentation i saw this:

This discovery method is intended to identify groups and the group relationships of members of groups. This method of discovery does not support the extended Active Directory attributes that can be identified by using Active Directory System Discovery or Active Directory User Discovery. Because this discovery method is not optimized to discover computer and user resources, consider running this discovery method after you have run Active Directory System Discovery and Active Directory User Discovery. This is because this discovery method creates a full DDR for groups, but only a limited DDR for computers and users that are members of groups.

Now you know, as best practices, don’t search your full active directory as you’ll have lots of non-wanted records.


Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , , , ,