How to Exclude OU from AD User Discovery in SCCM

In this tutorial, I will explain how to exclude OU from AD user discovery in SCCM. Starting in ConfigMgr version 2103, you can exclude organizational units from Active Directory User Discovery.

Recently, I was auditing the Configuration Manager setup for an organization. After the audit was completed, one of the requirements was to exclude user OUs from the discovery method.

This organization wanted to exclude HR and Finance Department users from being discovered in SCCM. Fortunately, the user accounts for these two departments were divided into separate organizational units. In addition, it was also requested to exclude the SCCM client installation on the laptops.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

If you are a ConfigMgr consultant, you may come across a similar requirement of excluding the discovery of users and certain devices from SCCM. Not to worry, it’s not a complex task and I will show you how to get this done.

Create Organization Units for Users

Organizational units (OUs) are container objects in Active Directory that allow you to organize and manage your network resources, including users, computers, and other objects.

By default, new Active Directory users are put in the Users container (CN=Users). Most organizations follow the best practices and create organizational units for users. For example, if you have users from various departments, such as IT, HR, Finance, Sales, and Support, it makes sense to create separate OUs for each department.

By organizing your users into OUs, you can simplify your management tasks. It also makes it easier to exclude the entire OU containing the users from discovery in SCCM.

See Also: Fix SCCM AD Discovery method fails with error code 11001

Prerequisites

To exclude the organizational units from AD user discovery, the following prerequisites must be met:

Also Read: List of SCCM Client Upgrade Options

Exclude OU from AD User Discovery in SCCM

Follow the below steps to exclude organizational units (OU) from Active Directory User Discovery in SCCM:

Step 1: From the Configuration Manager console, go to Administration > Hierarchy Configuration > Discovery Methods.

Exclude OU from AD User Discovery in SCCM
Exclude OU from AD User Discovery in SCCM

Step 2: Right-click on Active Directory User Discovery and select Properties.

Exclude OU from AD User Discovery in SCCM
Exclude OU from AD User Discovery in SCCM

Step 3: On the General tab of the Active Directory User Discovery Properties window, select the New icon to specify a new Active Directory container.

Exclude OU from AD User Discovery in SCCM
Exclude OU from AD User Discovery in SCCM

Step 4: In the Active Directory Container dialog box, locate the Search Options. Now click on Browse and select the organizational units that you want to exclude from user discovery. You may select and add multiple OUs here. Select OK to save the Active Directory container configuration.

Exclude OU from AD User Discovery in SCCM
Exclude OU from AD User Discovery in SCCM

After completing the above steps, you must wait for the user discovery method to run based on the configured schedule. To accelerate the process, right-click Active Directory user discovery and choose Run Full Discovery Now. Review the SCCM logs to monitor the discovery methods.

When the user discovery method runs, it will now exclude the user OUs from discovering them and these users are not populated by the Configuration Manager any more.

Read Next

Need more help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.