I'm an IT professional with over fourteen years of experience and since 2000 I've been working with Microsoft Infrastructure. I'm post-graduated in Computer Network and Telecommunications and Microsoft Certified Professional (MCP, MCSA Security, MCSE Security, MCTS, MCITP, MCT and MVP). I work as Technical Consultant mainly involved in Microsoft Security and System Center Configuration Manager solutions
I was awared MVP status by Microsoft in 2010 for System Centre Configuration Manager
Hi All,i've been asked by a customer how to exclude 1 OU from System Discovery.When he asked me, I said, it's easy, you only need deny read to that OU to the site server, however, it wasn't that simple as they are using specific permission instead.If you read the documentation, you'll find: To run Active Directory Discovery, the Active Directory domain can be in any Active Directory mode, and the site server computer account must have Read access to the specified Active Directory containers.To play a bit, I set my lab as following:
And set deny "read all properties" to "BranchOffice - 003" and apply onto I've selected "this object and all child objects". It didn't work.I got upset and selected deny "full control" and tried again. it didn't work as well. I spoke with other MVP's and Torsten Meringer (http://www.mssccmfaq.de/) gave me a hint and I went check. The problem was, then I selected deny "full control" it changed the apply onto to "this object only".After playing a bit more, I found the solution I was looking for. To deny it, I had to deny "list contents" to that OU and all child objects