Hello, I'm running SCCM 2007 SP1 and I am having an issue with the ADSystem Group Discovery not picking up the OU for workstations so I can create collections based on the OU name. Ive got system group discovery enabled and have added the containers within AD to search with Recursive set to Yes and Group set to Excluded. It is set to poll once a day. I've checked the adsysgrp.log and I do see this fairly often: Could not get property (memberOf) for system XXXXXXXXXX I am assuming this is probably it but it doesnt really give any clue as to why. Any ideas on what I could check from here? Thanks!

Hi Lee, Administrators examining the Active Directory User and Active Directory System Group Discovery log files might see a message, such as "Could not get property (memberOf) for system I804243~.". This message indicates that the Active Directory discovery method was unable to access the memberOf property in Active Directory. Active Directory System Group Discovery is unable to access the memberOf property in Active Directory in the following two scenarios: The computer is not a member of any group other than its primary group (Domain Computers, by default). This is because Active Directory stores the Primary Group information in the primaryGroupID property instead of in the memberOf property. The computer is in a Windows Server 2003 domain, and the site server is configured with advanced security. By default, computer accounts do not have access to the memberOf property in the Windows Server 2003 version of Active Directory. WORKAROUND: In the first scenario, you can ignore the message in the log file. In the second scenario, do the following: Open the Active Directory Users and Computers console. Right-click the domain to be discovered, and then click Delegate Control. In the Delegation of Control Wizard, add the System Account for the primary site server to the list of accounts to be delegated. Click Create A Custom Task To Delegate. Either specifically choose Computer and User objects, or choose all objects. Select the Allow them to Read All Properties option. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sorry guys, I got way ahead of myself it seems. I do have machines with the OU name filled in and discovery did work and also the reason I wasnt seeing any errors etc. I think I have wasted everyones time, We have alot of systems in the computers "container". I thought since even though I had the container selected in the discovery it would populate the OU name with the container name if the machine was not technically in an OU but a instead a container. This info is under system container name. Its too bad that the OU name isnt populated with the container name but then I guess it wouldnt be called System "OU" name. god I feel so dumb sorry folkes. I just wanted to create collections based on OU but I guess now I will need to base those on a combination of OU Name and Container Name. Thanks for all your assistance this was a valuable learning experience.