[Tip] Excluding OU from Discovery

Hi All,

i've been asked by a customer how to exclude 1 OU from System Discovery.

When he asked me, I said, it's easy, you only need deny read to that OU to the site server, however, it wasn't that simple as they are using specific permission instead.

If you read the documentation, you'll find: To run Active Directory Discovery, the Active Directory domain can be in any Active Directory mode, and the site server computer account must have Read access to the specified Active Directory containers.

To play a bit, I set my lab as following:


And set deny "read all properties" to "BranchOffice - 003" and apply onto I've selected "this object and all child objects". It didn't work.

I got upset and selected deny "full control" and tried again. it didn't work as well. I spoke with other MVP's and Torsten Meringer (http://www.mssccmfaq.de/) gave me a hint and I went check. The problem was, then I selected deny "full control" it changed the apply onto to "this object only".

After playing a bit more, I found the solution I was looking for. To  deny it, I had to deny "list contents" to that OU and all child objects