|
1 | 1 | --- |
2 | | -title: Delta AD Group Discovery skips the membership discovery for a group scope in child OU of other group scope |
3 | | -description: Troubleshoot an issue when AD Delta Discovery fails to detect group membership change. |
4 | | -ms.date: 01/12/2026 |
| 2 | +title: Delta AD Group Discovery doesn't detect membership changes in nested OUs |
| 3 | +description: Troubleshoot an issue when AD Delta Discovery fails to detect group membership changes in child organizational units. |
| 4 | +ms.date: 01/12/2025 |
5 | 5 | ms.reviewer: kaushika, jarrettr, brianhun, payur |
6 | 6 | ms.custom: sap:Boundary Groups, Discovery and Collections\Active Directory Discovery (all types) |
7 | 7 | --- |
8 | | -# Delta AD Group Discovery skips detecting the membership change for a group scope in child OU of other group in discovery scopes |
| 8 | +# Delta AD Group Discovery doesn't detect membership changes in nested OUs |
9 | 9 |
|
10 | | -This article describes how to identify and resolve an issue in which Active Directory Group Discovery fails to detect group membership changes. |
| 10 | +This article describes how to identify and resolve an issue in which Active Directory Group Discovery fails to detect group membership changes when groups are located in nested organizational units. |
11 | 11 |
|
12 | 12 | _Applies to:_ Configuration Manager (current branch) |
13 | 13 |
|
14 | 14 | ## Symptoms |
15 | 15 |
|
16 | 16 | You set up an Active Directory Group Discovery to target specific AD Groups as discovery scopes as per [Configure Active Directory Group Discovery](/intune/configmgr/core/servers/deploy/configure/configure-discovery-methods#bkmk_config-adgd). |
17 | 17 |
|
18 | | -You notice that AD Group Delta Discovery fails to catch the changes in certain group membership. At the same time, forcing a Full Discovery cycle resolves the issue. |
| 18 | +You notice that AD Group Delta Discovery fails to catch the changes in certain group memberships. However, forcing a Full Discovery cycle resolves the issue. |
19 | 19 |
|
20 | | -In particular, the issue happens when the following conditions are met: |
| 20 | +In particular, the issue occurs when the following conditions are met: |
21 | 21 |
|
22 | 22 | - Scope A: Group A located in organizational unit OU-A |
23 | 23 | - Scope B: Group B located in organizational unit OU-B |
24 | | -- OU-B is located under OU-A (being, hence, a child OU) |
| 24 | +- OU-B is a child OU located under OU-A |
25 | 25 |
|
26 | | -If all above conditions are met, changes in Group B's membership aren't detected by AD Group Delta Discovery. |
| 26 | +When all these conditions are met, changes in Group B's membership aren't detected by AD Group Delta Discovery. |
27 | 27 |
|
28 | 28 | ## Cause |
29 | 29 |
|
30 | | -During AD Group Delta Discovery, Configuration Manager detects the organizational units (OUs) of the target groups in discovery scopes and builds a tree structure of OUs. It ignores the child OUs of the target groups' OUs. |
| 30 | +During AD Group Delta Discovery, Configuration Manager detects the organizational units (OUs) of the target groups in discovery scopes and builds a tree structure of OUs. It then ignores any child OUs of the target groups' OUs. |
31 | 31 |
|
32 | | -AD Group Full Discovery follows different algorithm that doesn't ignore child OUs, so it works as expected. |
| 32 | +AD Group Full Discovery follows a different algorithm that doesn't ignore child OUs, so it works as expected. |
33 | 33 |
|
34 | 34 | ## Resolution |
35 | 35 |
|
36 | | -Microsoft is aware of this issue, however as per January 2026 there's no ETA or even commitment to fix it. To work around this issue, you can either: |
| 36 | +Microsoft is aware of this issue. However, as of January 2026, there's no ETA or commitment to fix it. To work around this issue, you can: |
37 | 37 |
|
38 | | -- Move the Group B to another OU that isn't a child of OU-A (or any other OU in the discovery scopes). |
39 | | -- Include OU-B in the discovery scopes as Organizational Unit. |
| 38 | +- Move Group B to another OU that isn't a child of OU-A (or any other OU in the discovery scopes). |
| 39 | +- Include OU-B in the discovery scopes as an Organizational Unit. |
40 | 40 | - Fall back to Full AD Group Discovery. |
41 | 41 |
|
42 | 42 | ## Identify the issue |
43 | 43 |
|
44 | 44 | Here are the steps to check logs and identify the issue: |
45 | 45 |
|
46 | | -1. Create the list of scopes by checking the beginning of any discovery cycle in ADSGDis.log. Verify the LDAP Paths: in particular, validate that the affected group is in child OU of another one in the list. |
| 46 | +1. Create the list of scopes by checking the beginning of any discovery cycle in ADSGDis.log. Verify the LDAP paths. In particular, validate that the affected group is in a child OU of another one in the list. |
47 | 47 |
|
48 | | -```output |
49 | | -!!!!Valid Search Scope Name: Unaffected Group Search Path: LDAP://CN=GROUP-A,OU=OU-A,DC=FOURTHCOFFEE,DC=COM IsValidPath: TRUE |
50 | | -!!!!Valid Search Scope Name: Affected Group Search Path: LDAP://CN=GROUP-B,OU=OU-B,OU=OU-A,DC=FOURTHCOFFEE,DC=COM IsValidPath: TRUE |
51 | | -``` |
| 48 | + ```output |
| 49 | + !!!!Valid Search Scope Name: Unaffected Group Search Path: LDAP://CN=GROUP-A,OU=OU-A,DC=FOURTHCOFFEE,DC=COM IsValidPath: TRUE |
| 50 | + !!!!Valid Search Scope Name: Affected Group Search Path: LDAP://CN=GROUP-B,OU=OU-B,OU=OU-A,DC=FOURTHCOFFEE,DC=COM IsValidPath: TRUE |
| 51 | + ``` |
52 | 52 |
|
53 | 53 | 1. Find any Delta Discovery cycle in the log. Look for the following line and filter by the thread writing it. |
54 | 54 |
|
55 | | -```output |
56 | | -INFO: CADSource::incrementalSync returning 0x00000000~ |
57 | | -``` |
| 55 | + ```output |
| 56 | + INFO: CADSource::incrementalSync returning 0x00000000~ |
| 57 | + ``` |
58 | 58 |
|
59 | 59 | 1. First, Delta Discovery goes through the list of scopes: |
60 | 60 |
|
61 | | -```output |
62 | | -INFO: -------- Starting to process search scope (Unaffected Group) -------- |
63 | | -INFO: -------- Finished to process search scope (Unaffected Group) -------- |
64 | | -INFO: -------- Starting to process search scope (Affected Group) -------- |
65 | | -INFO: -------- Finished to process search scope (Affected Group) -------- |
66 | | -``` |
| 61 | + ```output |
| 62 | + INFO: -------- Starting to process search scope (Unaffected Group) -------- |
| 63 | + INFO: -------- Finished to process search scope (Unaffected Group) -------- |
| 64 | + INFO: -------- Starting to process search scope (Affected Group) -------- |
| 65 | + INFO: -------- Finished to process search scope (Affected Group) -------- |
| 66 | + ``` |
67 | 67 |
|
68 | 68 | 1. The Delta Discovery proceeds to "immediate search base" then: |
69 | 69 |
|
70 | | -```output |
71 | | -INFO: -------- Starting to process search scope (Immediate search base) -------- |
72 | | -INFO: Processing search path: 'LDAP://OU=OU-A,DC=FOURTHCOFFEE,DC=COM'.~ |
73 | | -``` |
| 70 | + ```output |
| 71 | + INFO: -------- Starting to process search scope (Immediate search base) -------- |
| 72 | + INFO: Processing search path: 'LDAP://OU=OU-A,DC=FOURTHCOFFEE,DC=COM'.~ |
| 73 | + ``` |
74 | 74 |
|
75 | | -1. If you see this error message for the OU-B, you successfully identified the issue: |
| 75 | +1. If you see this error message for OU-B, you have successfully identified the issue: |
76 | 76 |
|
77 | | -```output |
78 | | -INFO: Found invalid Search Path: LDAP://OU=OU-B,OU=OU-A,DC=FOURTHCOFFEE,DC=COM. Probably it's sub search path of other search path and will be covered by them. |
79 | | -INFO: -------- Finished to process search scope (Immediate search base) -------- |
80 | | -``` |
| 77 | + ```output |
| 78 | + INFO: Found invalid Search Path: LDAP://OU=OU-B,OU=OU-A,DC=FOURTHCOFFEE,DC=COM. Probably it's sub search path of other search path and will be covered by them. |
| 79 | + INFO: -------- Finished to process search scope (Immediate search base) -------- |
| 80 | + ``` |
0 commit comments