What is Active Directory Group Discovery?
Active Directory Group Discovery is a discovery method in SCCM used to identify the group memberships of users and computers in your Active Directory environment. This enables SCCM to better understand the organizational structure and relationships within AD, such as which computers or users belong to which groups.
How It Works in Detail
- SCCM connects to Active Directory Domain Services (AD DS) using LDAP queries.
- It queries specific groups or containers in AD based on your configuration.
- For each group, SCCM finds all members — which can be users, computers, or even other groups (nested groups).
- It collects information such as:
- Group name
- Member names
- Object types (user or computer)
- Group security identifiers (SIDs)
- SCCM imports this data into its site database, enriching the data about users and computers.
- This allows you to target deployments or policies based on group memberships rather than individual machines or users.
Why Use Group Discovery?
- Target Deployments Using AD Groups
Instead of deploying software or policies to individual users or computers, you can deploy based on AD group membership. This makes management easier, more scalable, and aligned with existing AD security groups. - Discover Users and Computers Not Found by Other Methods
Sometimes, users or computers may not be found by other discovery methods (e.g., Network Discovery, System Discovery). Group Discovery can find these if they are members of an AD group you are monitoring. - Monitor Group Membership Changes
SCCM can track changes in group membership over time, keeping deployment targets up to date.
Configuration Options
When you enable Active Directory Group Discovery, you can configure:
- Containers to search: Specify the AD organizational units (OUs) or containers where SCCM should look for groups.
- Group filtering: Limit discovery to specific groups by name or location.
- Poll intervals: How often SCCM polls AD for changes.
- Group types: Discover security groups or distribution groups (typically only security groups are useful for deployment targeting).
- Member recursion: Whether SCCM should recursively check nested groups.
Benefits & Considerations
| Benefit | Explanation |
|---|---|
| Integration with AD structure | Uses existing AD groups for management |
| Efficient targeting | Deploy policies to groups rather than individual users |
| Discovery of hidden objects | Finds users/computers not detected by other methods |
| Consideration | Explanation |
|---|---|
| Network Load | Frequent queries can increase load on AD servers |
| Discovery Scope | Too broad a scope can lead to large data imports |
| Group Nesting | Deep nesting can complicate discovery and increase time |
Example Scenario
Imagine you have a security group in AD called “Finance_Software Users”. You want to deploy a finance application only to members of that group.
- You enable Active Directory Group Discovery in SCCM.
- Configure it to search the OU where the Finance groups reside.
- SCCM discovers all members of “Finance_ Software Users”.
- You create a collection in SCCM that queries membership in this group.
- You deploy the finance application to that collection.