|
Contributed By:
Cliff Hobbs [MVP SMS]
If you look in your AD System Group Discovery log you may see an
error like the following: "Could
not get property (memberOf) for system <system_name>" Basically
what this means
is that at the time Discovery ran it wasn't able to query the "memberOf"
property for the object in Active Directory. Normally this is for one of
the following two reasons:
-
When a computer is added to AD it's automatically assigned
membership to the "Domain Computers" group. This
group is assigned as the computer's Primary Group and the information
relating to the computer's membership is stored in AD in the "primaryGroupID"
property. When System Group Discovery runs, it attempts to query the "memberOf"
property which doesn't exist for the "Domain Computers"
group so SMS generates the error. If you were to add the computer to another
AD group SMS would be able to query the "memberOf"
property for that group as all other groups store their information in the "memberOf"
property.
- If the computer being discovered is a
member of a Windows 2003 Domain and SMS is configured to use Advanced
security it will be unable to access the "memberOf"
property by default. Advanced security uses the computer account of
the Site Server and by default in a Windows 2003 Domain computer accounts do
not have permission to access the "memberOf"
property.
In the first case there's not a lot you can do it about it but in the second
scenario you can use the following workaround:
-
Load "Active Directory Users and Computers"
console.
-
Right-click the domain being discovered and select "Delegate Control"
from the context menu.
-
In the
"Delegation of Control Wizard",
add the System Account for the Primary Site Server performing discovery to the list of accounts
to be delegated.
-
Next click
"Create A Custom Task To Delegate".
-
You can either choose "Computer and User objects"
or choose all objects.
-
Select the "Allow them to Read All
Properties" option.
- Close AD Users and computers.
The next time Discovery runs it should be able to access AD successfully.
|
 |
To see other SMS
2003 Troubleshooting FAQs click here. |
|
