Hi,

It uses the Primary site servers computer account, so that is the account you should grant permissions.

Regards,
Jrgen

Note that denying permission in AD will not work to prevent AD System Discovery from discovery a system within an OU because (from http://technet.microsoft.com/en-us/library/cc736316%28WS.10%29.aspx):

"Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. "

And by default, all objects in AD have explicit read permissions for Authenticated Users which will include the site server's account so this will not work unless you explicitly deny permissions on all of the objects.

Quick simple question that I can't seem to find the answer too!

Which account does SCCM 2007 use when running an AD System Discovery?

I want to deny access on certain AD OUs, so that these systems are not discovered and added to SCCM. I'd rather do it this way than including all the other OUs in the System Discovery properties.

Thanks Jason, that explains why it's not working..... ;-)

Oh well, back to the drawing board...