Exclude an Active Directory OU from SMS Client Push

[kmkeshav]

How to exclude computers in an Active Directory OU from SMS Client Push?

We are in Advanced Security mode. I tried denying Read permission for the SMS Site Server's computer account for the OU I wish to exclude. It didn't work. The computers are still being discovered and showing in "All Computers" collection.

Any help would be really appreciated.

-Keshav

 

[tbrennans]

I dont think that can happen. SMS reads the AD information from the AD db. You can of course prevent installation of clients by various methods, but I've never heard of preventing SMS from seeing something in the same domains AD.
The only other thing I would think would work if you created another Domain in the forest and place those computers in that domain.

 

[tbrennans]

The other perhaps more practicle method is to use a GPO script to install the client and not apply the script to that OU. This is how I setup every account I do. (there are several scripts "out there" including some very good sms client health scripts that run at startup)

 

[tbrennans]

Script download at the bottom of the page (good stuff)

http://myitforum.com/articles/8/view.asp?id=10774

 

[kmkeshav]

Thanks for your response. We already have the GPO method of SMS Advanced Client installation in place. This is just to know if OU exclusion if possible.

 

[tbrennans]

You could make a collection say all computers and add a subselect statement to it say:

select * from SMS_R_System where SystemOUName = "ABC1.ABC.YOURDOMAIN.COM/ OUNAME / OUNAME / OUNAME /WORKSTATIONS/STANDARD"

This would see all the computers in ad but prevent those from a sms push of the client.


***Subselect instructions:

http://www.myitforum.com/articles/1/view.asp?id=179

 

[kmkeshav]

Thanks for your reply. I believe this method will be more helpful for Client Push Installation Wizard (initiated from SMS Admin Console). How do I use this for configuring Client Push Installation on a secondary site? If I enable Client Push on a secondary site, won't all the computers with in the assigned site boundaries be discovered and SMS Adv Clients be installed (irrespective of the OUs they belong)?

The subselect method did solve one of my other puzzles

-Keshav

 

[kmkeshav]

Btw, I had raised a PSS case with Microsoft and they replied today that it won't be possible. :-(

-Keshav

 

[tbrennans]

Although I have never done it, if you open your console to Site settings | Discovery Methods | and right click Active directory security group discovery and select help, it indicated you can you can discover OU's, that said if you can do that you should be able to create a query based collection based on the OU you discovered and push tho that collection only.

 

[kmkeshav]

Thanks for your reply. I think this is perfect for the Client Push Installation Wizard which an SMS Administrator will use to push the SMS Advanced Client to computers in a collection. I am talking about the Client Push Installation enabled on an SMS Site. As per my understanding, this will automatically install SMS Advanced Client on the discovered computers (irrespective of their OU/Collection memberships) falling with in the subnets assigned as Site Boundaries to that SMS Site. Please correct me if I am wrong.

-Keshav