Have you ever wondered what the group discovery does? Well…it is easy, it discover Groups, isn’t it?
Well, many people, including myself, had this impression, as on CM07 it only discovered extra information regarding existing resources.
let me give you a bit of history about this…few days ago a client of mine called in asking me why their CM database was always full of “non-wanted” computer records if they have the system discovery disabled.
Well..this was a bit odd for me, and looking at the documentation (http://technet.microsoft.com/en-us/library/gg712308.aspx) i could see this:
Use Configuration Manager Active Directory Group Discovery to search Active Directory Domain Services (AD DS) to identify the group memberships of computers and users.
and why it is discovering computers? i went to the Group discovery properties and they were using the Location type and searching for the whole domain (not a best practice anyway…). i continued looking at the documentation and saw this:
This discovery method searches a discovery scope that you configure, and then identifies the group memberships of resources in that discovery scope. By default, only security groups are discovered. However, you can discover the membership of distribution groups when you select the checkbox for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box.
Back to the discovery properties, i looked at the options tab and did no see that checkbox enabled, but i saw the other 2 checkbox enabled and tough that i needed to disable it…and after deleting all non-wanted resources, i forced the full sync and for my surprise, all records were added again…
Spoke with my fellow MVP’s about this behaviour and Vladimir Zelenov gave me a bit of help saying: Limited information about members will be discovered. So it will create computer objects too.
i was shocked, and looking back at the documentation i saw this:
This discovery method is intended to identify groups and the group relationships of members of groups. This method of discovery does not support the extended Active Directory attributes that can be identified by using Active Directory System Discovery or Active Directory User Discovery. Because this discovery method is not optimized to discover computer and user resources, consider running this discovery method after you have run Active Directory System Discovery and Active Directory User Discovery. This is because this discovery method creates a full DDR for groups, but only a limited DDR for computers and users that are members of groups.
Now you know, as best practices, don’t search your full active directory as you’ll have lots of non-wanted records.