Active Directory Discovery

Active Directory System Group Discovery Is Unable to Find the memberOf Property

Administrators examining the Active Directory User and Active Directory System Group Discovery log files might see a message, such as "Could not get property (memberOf) for system I804243~.". This message indicates that the Active Directory discovery method was unable to access the memberOf property in Active Directory.

Active Directory System Group Discovery is unable to access the memberOf property in Active Directory in the following two scenarios:

  • The computer is not a member of any group other than its primary group (Domain Computers, by default). This is because Active Directory stores the Primary Group information in the primaryGroupID property instead of in the memberOf property.

  • The computer is in a Windows Server 2003 domain, and the site server is configured with advanced security. By default, computer accounts do not have access to the memberOf property in the Windows Server 2003 version of Active Directory.

WORKAROUND:   In the first scenario, you can ignore the message in the log file. In the second scenario, do the following:

  1. Open the Active Directory Users and Computers console.

  2. Right-click the domain to be discovered, and then click Delegate Control.

  3. In the Delegation of Control Wizard, add the System Account for the primary site server to the list of accounts to be delegated.

  4. Click Create A Custom Task To Delegate.

  5. Either specifically choose Computer and User objects, or choose all objects.

  6. Select the Allow them to Read All Properties option.