gordonf Posted August 23, 2013 Report post Posted August 23, 2013 I came to SCCM from managing software deployments via Group Policy, so the Active Directory environments I work in reflect my GPO-centric approach. For instance I'll create organizational units separated out by OS or CPU architecture, followed by physical location. Here's an example: mydomain.local - Windows 32-bit --- IT Office ------ PC1 ------ PC2 --- Marketing Office ------ PC3 ------ PC4 - Windows 64-bit --- IT Office 64 ----- PC5 --- Marketing Office 64 ----- PC6 This lets me deploy GPOs and other settings from the top down; I'd have a base set of defaults followed by specifics for a given location. My collections in SCCM will use the OU membership to tell which collection to put a PC in, usually as a consequence of migrating software deployments from GPOs to SCCM applications. When I introduce out-of-band management to this kind of AD tree, I'm not able to fit it. OOB Setup says I need to create or use an OU for OOB-managed PCs and ensure the appropriate SCCM servers have read/write access to that OU and can add and remove members to an AD group. But I have more than one OU set up; I can't pick them all. Say I pick "Windows 64-bit" as the OU that the OOB Service Point should use. As it discovers AMT-capable PCs it will create computer accounts in the root of this OU, so the resulting tree looks like this: mydomain.local - Windows 64-bit -- PC5$iME -- PC6$iME --- IT Office 64 ----- PC5 --- Marketing Office 64 ----- PC6 When SCCM does this though, the query rules that maintain my per-location collections will remove the original computer from its collection, and it will create new computer items named, for instance, "PC5iME" (without the "$") in that collection. If I don't have a collection for that OU, it will still have a computer object in the Devices list and it will appear in the All Systems collection, but with the new name. Hm, ok that isn't good. What if I created a new OU, and had SCCM's OOB service point create new computer accounts there instead? The resulting tree looked like this: mydomain.local - AMT-Managed PCs -- PC5$iME -- PC6$iME - Windows 64-bit --- IT Office 64 ----- PC5 --- Marketing Office 64 ----- PC6 ...only if I do that, the collections representing, say, "Windows 7 64-bit / IT Office 64" lose their computer objects entirely, and they don't appear in any other collection but "All Systems," and even then with the modified name like "PC5iME." I really don't want to destroy these OU trees just to accommodate AMT and OOB management, because I still have non-software GPOs that apply per-location, per-OS or per-CPU architecture. Or is SCCM the right tool for managing AMT in this environment? (By the way, why is "AMT" blocked as a search term?) -- Quote Share this post Link to post Share on other sites More sharing options...
