I had a requirement to generate report to list members (users/groups) of local administrators group on servers for auditing purpose. Finding the users/groups who are member of local administrator group manually or scripting is tedious task on all servers .If you are managing the devices with configuration manager ,you can leverage Configmgr tool to get this task done so easily .
By default ,Configmgr do not have inbuilt solution /provide any report to get members of local administrator group ,but you we can achieve this using custom solution . The only solution that i have tried earlier and seen people using ,is a solution that was provided /blogged by Sherry Kissinger .
Solution that was provided by Sherry was to create configuration item/configuration baseline with vbscript ,deploy this to collection ,import mof file into client agent settings to pull custom wmi changes that made by script,run report to get the required information.
If you search online with subject line ,you will mostly hit TechNet forum/blogs that refer to the following links.
https://mnscug.org/blogs/sherry-kissinger/244-all-members-of-all-local-groups-configmgr-2012
http://mnscug.org/images/Sherry/WMIFrameworkForLocalGroupswithLogging.zip
I have tried this solution very long ago for some of my customers which worked fantastic , but i did not blog about this as there are already posts available online.
I started to follow above blogs few days ago for my task, but for some reason these URL’s not active .So during my online search,i found few other blogs that talk about this solution .
I tried importing the cab file from sherry blog into configuration baseline, but for some unknown reason ,importing of cab file that did not succeeded on both Configmgr 2012 and Configmgr Current branch 1610. Both environments have the following error.
I am not the only one facing issue while importing the cab file, there are lot more people who posted about it on TechNet for solution.
So i started creating configuration items ,configuration baseline and do changes to client agent settings (MOF file) ,generate report .
I am attaching the configuration baseline cab file here for you to download ,extract ,import into your configmgr 2012 or configmgr current branch 1610 and simply deploy to your required collection, import MOF file into client agent settings for hardware inventory.
If you see any issues while Importing the cab file into configuration baseline ,please follow the steps illustrated below how to implement this solution step by step.
In this blog post, i will help you how to create configuration item ,configuration baseline with the script that sherry provided ,do MOF changes in client settings ,wait for hardware inventory and create SQL query to run report.
There are 2 vbscripts out there online 1) Get members of local administrators group ONLY (WIN32_localadmins) 2)Get members from all local groups on the machine (cm_localgroupmembers)
Script 1 will get you the information about users/members who are member of administrators group ONLY and script 2 will get you members of all locally created groups.
Have attached both scripts in the download section for your reference in case you don't want all groups information.
Note: This task can be achieved in 2 ways ,either by deploying script as package or deploying the script using baseline method ,but Pre-requisite ,is recurring deployment, or Recurring DCM Baseline/CI
Steps in brief:
1. Import the MOF file into default client agent settings but do not select the changes in default client agent settings. You can select these changes on custom client agent settings to deploy to collection .
2. Create configuration item,configuration baseline and deploy to collection on recurring basis.
3.Run SQL query /report to get members of local administrators group.
Note: Should i go with configuration item or as package ? I would strongly suggest you go with configuration item and make it recurring instead of scheduling it for 1 time. Why should i make it recurring ?
Since the script that is used in the configuration item will create the instance in wmi “cm_localgroupmembers ” and query local groups with its members 1 time per script run ,which means if you run the configuration item 1 time ,it will query local groups and members and pipe the information into cm_localgroupmembers ,but if any changes happened after the compliance item run ,they wont appear in cm_localgroupmembers . For any addition or deletion of users/groups from local groups ,you must schedule it on recurring basis.
In this post, i will go with configuration baseline method.
Before we start the steps, download the files that are required to create baseline,MOF file ,reports etc from here
Step 1: Copy the MOF file from download section to your SCCM server,import the MOF file into default client agent settings—>Hardware Inventory in your SCCM server (CAS if you have else primary site ) ,de-select the settings in default client agent settings for localgroupmembers .
Go to your custom client agent settings and select localgroupmembers that you want to get local members information.
If you do not have any custom client agent settings in your environment ,you can enable this settings in default client agent settings.
monitor dataldr.log for the changes .
with this change ,there will be a SQL view created and can be used for reporting which is : v_gs_localgroupmembers0. The Information which is stored SQL views that start with V_GS comes from inventory.
Step 2: From configuration manager console, assets and compliance , compliance settings right click configuration item ,create new ,type Name ,description
click next (leave default OS settings) ,next, on settings page ,add new with following information.
Name: WMI Framework for cm_localgroupmembers
Setting Type: Script
Date Type: String
Edit the script ,select vbscript ,paste the content from the SCCMLocalGroupMembers.vbs file .This is script 2 what i referred above. If you want only members of local admin group ,select localadmins.vbs
Click ok, click next ,on the compliance rules ,click new with the following information
Name: cm_localgroupmembers
Selected setting: select the setting that you created above
Rule type: existential
Setting comply rule: This specified script does not return any values
Click Ok ,next next to see the summary page.
Create a new baseline ,select the configuration item that we created above ,deploy it to collection .
Wait for client to receive new client device settings and configuration baseline to create wmi instance followed by client inventory .
On client machine after the policy ,assigned configuration baseline is compliant.
Logging information by script:
output of the script logged into SCCMLocalGroupMembers.log in C:\windows\temp folder:
Now you will see a wmi class created in root\cimv2 with cm_localgroupmembers.
The custom inventory changes that you did in client settings will pick up these changes and process in the database for reporting purpose.
Incase of any issues with creation of wmi class or not seeing any inventory in the database, please check the log if the baseline has created any wmi class or not. For database reporting, check the client inventory log if the wmi namespace picked up and sent the inventory to site server.
Now reporting /SQL Queries:
Now we have sufficient information about the local users ,member of all local groups which is stored in SQL view ‘v_gs_localgroupmembers0’ .
We can create variety of SQL queries depends on the requirement .
Query 1: List all clients with members of the local Administrators group:
select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
order by sys1.netbios_name0, lgm.name0, lgm.account0
Query 2: List members of the local Administrators group on specific client:
select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
, lgm.category0 [Account Type]
, lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
and sys1.Name0='clientname'
order by sys1.netbios_name0, lgm.name0, lgm.account0
Query 3: List all clients with members of the local Administrators group excluding certain users or group :
This will be helpful in case, you have applied some of the policies through GPO who should be member in local administrator group on all the clients for ex: domain admins or some other AD sec groups.
'Domain Admins','wintelMonitoring','WintelAdmins','eskonr'
declare @PC nvarchar (255);set @PC='computername'
select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators' -- and sys1.name0=@pc
and lgm.account0 not in ('Domain Admins','wintelMonitoring','WintelAdmins','eskonr')
order by sys1.netbios_name0, lgm.name0, lgm.account0
Hope it helps!
108 Comments
Hello Eswar Koneti,
Thank you for share this post, it's very helpful for me. I want to report of all local users which created in machine, IN my infra have approve 250 machine and users created many local users in these system.
Could you share information How can export or get all local users list from sccm.
Thanks in Advance!
Hi,
This script as part of the blog post should cover local users part of the administrators group.
are you saying, these local users not part of the local administrator group hence they are not reflecting in the sccm report?
Thanks,
Eswar
Hello Eswar Koneti,
Thank you for share this post, it's very helpful for me. I want to report of all local users which created in machine, IN my infra have approve 250 machine and users created many local users in these system.
Could you share information How can export or get all local users list from sccm.
Thanks in Advance!
Regards,
Nihal Jaiswal
Still works on CB2303.
Thank you!
Thank you! Works in CB 2211.
it worked for me, thanks a lot
Pingback: Pulling server local administrator information to SCCM database - Boot Panic
Pingback: sccm inventory local accounts Info Online How To Sign Into Account - gobanklogin
Hi I have imported the mof file ,created the config item and baseline.Created the report however I am not getting any info back on the report I do get the SCCM log.But report returns nothing.
Can you check the local wmi on the device is any wmi classes created or not?
Hi Eswar, does the currently downloadable vbs script include the “disabled” info? At the first glance - it doesn’t. Would you be so kind to add it?
Thx
Dorota
Hi,
I will look at it and update you when the script is ready.
Thanks,
Eswar
Ran into the same issue. The VBscript does not write the disabled property to the wmi namespace. This can be confirmed by running the wmi query through powershell.
If you run: Get-WmiObject cm_localGroupMembers, you will see the disabled property is not set in the object.
Looking at the InvetoryAgentlog you can see it is running the query: select _class, _path, _relpath, account, domain, name, disabled, type from cm_localgroupmembers. You can see it fail in the log when trying to send it. It attempts to exclude but still fails in sending to the sccm MP.
You can validate this in powershell as well by running: Get-wmiobject -query "select _class, _path, _relpath, account, domain, name, disabled, type from cm_localgroupmembers"
you will return the same error as in the log. excluding the disabled properties generated the proper info.
instead of modify the VBScript I excluded it from the selection under hardware inventory cycle and the error went away as it was no longer looking to pull the property.
Great blog post! This was very helpful for our security audit.
Hi Zach,
Appreciated and thanks for your feedback.
Thanks,
Eswar
In some client machine the WMI class CM_Localgroupmember is not getting created? any suggestion on that?
can you check the log for any errors there to create the wmi class?
Thanks,
Eswar
Hi Eswar, thank you for this great work. I've follow your steps, looks like I have the WMI created but I don't see anything on either the ressource explorer or directly from the computer. The DB has the field created but everything is empty. I've checked your code and haven't seen why this is not working. Our computers are not in English but because you are looking into the WMI classes it shouldn't matter isn't it?
Hi Adrien,
do you see any data in the inventoryagent.log that the client able to send the data? if there is wmi namespace and data available and if you have extended the MOF (client agent settings), client should pick the changes and report back the data.
Thanks,
Eswar
Hey Eswar,
Thanks for answering, look like my data are incorrect from the inventoryagent.log
<time="17:08:18.771-120"
The MOF file is correct, I took it from your site. Not sure where to double check this.
Thanks
Adrien
Sorry logs seems to be cut from my comment (and the edit doesn't work on any browser for me)
<time="17:08:18.771-120"
Eswar,
First off thank you for the work you put into this. I have created everything based on your instruction, however I am running into an issue where no data is being populated into the SQL Db. I can see the log file showing below:
4/10/2020 11:59:09 AM - Script Started
4/10/2020 11:59:09 AM - Not a Domain Controller, Continuing
4/10/2020 11:59:09 AM - Cleaned cm_localgroupmembers, if it existed.
4/10/2020 11:59:09 AM - Found 21 Local Groups
4/10/2020 11:59:09 AM - Found a total of 10 Names within those 21 groups
4/10/2020 11:59:09 AM - Starting to populate cm_localgroupmembers
4/10/2020 11:59:09 AM - Completed populating cm_localgroupmembers
4/10/2020 11:59:09 AM - Script Finished
I definately see the class in wbemtest. I can evaluate and it shows Compliant when I view. Just cant piece down the part why the data is not populating. I am on SCCM 1902.
Thank you
Hi Jason,
Did you check if your client has sent the inventory to MP. you can check that from the inventoryagent.log.
do you see any view for the localgroupmembers in the database? Is the view created and is empty?
This is something to look at the database side for the reporting.
Thanks,
Eswar
Hi Eswar ... could you please edit the script to fetch the Accounts State "Disabled"
Thank you !!!
Tanoj
Hi Tanoj,
It is possible to edit the script to get disabled accounts as well . I will find time to make changes to script and upload it.
Thanks,
Eswar
Hi Eswar,
Sorry to bother you, did you get time to check this request ?
Kind Regards,
Tanoj
Hi Eswar,
did you find time to teak the script ?
Kind regards
Tanoj
Hi Tanoj,
Not yet.I will check in this week.
Thanks,
Eswar
Is there a way to inject the current OS of the PC in this script? Thanks.
Hi Matt,
Why do you want to inject the PC name into the script? you will get the OS information from SCCM database with resourceID/hostname from v_r_system_Valid or v_gs_operating_system.
Thanks,
Eswar
Thank you
Oh and I don't need to inject the PC name, just the OS. We are currently pushing Windows 10 to our organization and trying to remove local admins in the process. Since we have already started the process I need to go back and check the PC's already done. Hence the need to inject the OS into the report so I can separate.
Hi Eswar, We have all the procedure created, but now the client asks us to have the powershell script instead of vbs, do you have any examples to be able to use the baseline using a powershell script?
Thank you!!
Regards
hi Jose,
I dont have any powershell script that does the similar function however you can create one from the vb script as sample.
Thanks,
Eswar
I ran the configuration baseline after adding the mof file and adding the localadmin hardware inventory class but i am not finding the v_gs_localgroupmembers0 table in the DB.
Hi,
Is the configuration baseline ran on the device? did you check the SCCMLocalGroupMembers.log in C:\windows\temp folder?
Thanks,
Eswar
I'm having the same issue, and yet, I see the SCCMLocalGroupMembers.log file, and it said it was successful. Is it just a timing issue?
I think "SCCM-Group-members.zip\Local Admin Group only\script.txt" has a bug.
If the Local Administrators group contains a user with a SID instead of a proper "Domain\Username" it will incorrectly identify the username\domain of that SID user.
E.g. "S-1-5-21-3623811015-3361044348-30300820-1013"
Will be identified as:
Domain0: S-1-5-21-3623811015-3361044348-30300820-1013
Name0: incorrect name from earlier in the loop
I'd expect probably:
Domain0:S-1-5-21-3623811015-3361044348-30300820-1013
Name0:S-1-5-21-3623811015-3361044348-30300820-1013
I only glanced at the "all groups" script but it looked written differently enough that it probably doesn't have this same issue.
i suspect the script is not able to read or understand the GUID S-1-5-21-3623811015-3361044348-30300820-1013 values and it is always difficult to translate the values from GUID to user names. If you see GUID values ,PC has issues reaching out to domain controller/lost the trust.
Thanks,
Eswar
Hi I have the same problem as Kim.
All is OK but nothing in DB.
dataldr.log is no error.
In WMI i see data.
HW inventory invetoried
Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, Account, Domain, Name, Category, Type FROM cm_LocalGroupMembers; Timeout = 600 secs.
but still nothing in DB.
hi eswar, I, need SCCM 1902, SQL Views for Local Group Members & SQL Query also
It works for 1902 as well. The CB baselines are for all versions. Have you tried importing baseline into 1902? Did it work?
Thanks,
Eswar
Hi Eswar, Indeed the steps are mentioned very clearly. But, I am not able to get the output as it shows Blank on 1902. Any suggestions
Do you have log created and wmi instance name? These 2 will help you what is going on. Also can you run the script manually on the client that would create wmi instance. This is as part of troubleshooting
Thanks for the post Eswar.
I'm able to get members of local administrators group. But getting below error
"GetPropertyListForClassName - Failed to get class 'C00000000_0000_0000_0000_000000000011' from WMI namespace. Error 0x80041002"
Getting this error on client machines in "Inventoryprovider.log" log file.
Hi,
what version of CM version are you running into ? can you check if there any wmi class created with the script and result piped into it ?
thanks,
Eswar
Hi There,
Thanks so much for the article and it do help a lot.
However, I got a problem on the report as the number of PC in report listed (around 100 and use the queries provided) is not same as the compliant (check in the deployment status view and around 397 assets).
Can you get me hints to solve this?
Thanks in advance
Hi,
thanks for the comment. If the device has multiple users in admin group then you get multiple rows for the same computer . Script pipes all the admin users to WMI and send that info to sccm for that computer.
If you want all the users in same row ,you can use something forxml code in SQL so you get right number there.
thanks,
Eswar
Perhaps I am going about it the wrong way, but I cannot get the queries to work; I keep getting a syntax error. From the SCCM console I am going into Monitoring > Queries > Create Query > Edit Query Statement and have tried each of the three queries you have in this article. Is there another method I should be using?
Hi,
try using report builder and it easy method to edit reports or you can use visual studio .
Thanks,
Eswar
Sorry I also get in trouble on the reporting. I found the clients did not listed in the reports but there is SCCMLocalGroupMembers.log created. Any way that can push the clients report to SCCM in faster way
Hi,
Did you check WMI if there is any instance created for local admin ?That is the only way to start troubleshooting.
Thanks,
Eswar
Yes I found the clients created CM_LocalGroupMembers and have the log file on temp folder which show the result successfully. but some how the clients not report to the SCCM server for the result and the clients hace policy or heartbeat return in recent.
I Am having the same issue. Did you ever resolve this? If so how did you
Please assist, I'm running this and I can see the entry in the config man on the targeted computer but I do not see the log file being created
Did the script ran successfully? Are the wmi instance created?
Thanks a lot Easwar. Also do we get your support to collect all shares on servers with share & NTFS permissions.
Hi,
Please look at this to get shares on computer https://social.technet.microsoft.com/Forums/exchange/en-US/38bc16d7-2437-46fb-8c1b-e51f4697c490/sccm-report-for-finding-machines-with-local-shares?forum=configmgrgeneral
Thanks,
Eswar
Is it possible that 2 users groups with the exact same name, within 2 different ADs, members of the same local group, only 1 will be inventory? Seems to be the case here.
Ex:
Domain users from AD1
Domain users from AD2
members of the USERS local group.
Thank you
hi,
It can be possible but you get domain name in the V_R_system table that makes it different .
thanks,
Eswar
Is it possible that 2 users group with the exact same name, within 2 different ADs, members of the same local group, only 1 will be inventory? Seems to be the case here.
Ex:
Domain users from AD1
and
Domain users from AD2
are members of the local group : Users
Thank you
Hi I have added both mof files and tried both baselines. but the database only creates the tables and not the views. I have read that this may be a problem since CB1802. I can query the tables with a direct query to the database and the data is being collected. I joined the machineID from the table with the existing views resourceID and able to see the data but the view never gets created. I looked at the table dependencies and there at no dependent views for the localgroupMembers table. is there a way to confirm that this is an inherent issue with the latest CB versions? I did however notice that the only custom views that I have also have configuration.mof entries. I would lilke to know if it's something I'm doing or a change in the way custom views are created. I have posted my issue here also with some of the troubleshooting steps. Garth replied but I have tried importing multiple times and few variations. I am not new to extending inventory.
https://social.technet.microsoft.com/Forums/en-US/7f1962ed-9f7b-404b-83d0-88880d3b2141/collecting-local-admin-members-through-hardware-inventory-mof?forum=configmanagergeneral&prof=required
Hi,
I tried in CMCB 1802 and it works .Have you tried checking client wmi if there is any info loaded there also check the inventoryagent.log for further troubleshooting. They will help you to figure out where the issue.
thanks,
Eswar
Hi Eswar,
It seems the vbscript posted for Sherry it is not updated to grab the "Disabled" information, am I pointed to wrong directions?
Thanks
Cesar
I doubt if the script posted by sherry would also bring disabled accounts. I havent looked at the script for disabled accounts.
If you want the disabled accounts information as well then script must be edit to pipe the information to wmi and let inventory collect this information and send to site server for database reporting.
Thanks,
Eswar
Hi Eswar! Great work on this! We've been running it in our environment for quite a while now! Now of course we are being asked to expand the report a bit and I was curious if this could\should be done through the addition of items in the MOF or through other means... We are asked to also provide the Description of the Local Account, whether it is Locked Out (True\False), the Last Login, when the last time the password was changed for the account and if the Password is Expired. Thank you for your thoughts!
if you want to get information for local accounts with its status etc, you can expand the vbscript to write information to wmi and expand the mof file to query this to database.
I have not looked at it though but you can give a try.
if you need domain accounts then you can discover it via AD system discovery custom attributes.
Thanks,
Eswar
Hey Eswar,
thanks for the script and all the steps.
I try to deploy the script and no luck so far, also if I run the vbs itself on the target computer I can't find any class populated named as in the script, what should I check first?
Anyway, I deployed the baseline and it worked like a charm, still curious why it doesn't work as a pure vbs script though.
Also for international Windows users: if you want to make a proper select with the WHERE clause you should add N before the international name of your Administrators group, in my case it is
[...]
WHERE v_gs_localgroupmembers0.Name0 = N'Администраторы'
it worked for me but it looks like the it is only for English but not for other languages.
Regards,
Eswar
Did you check the logs on the computer ? did the log file generated ? you should run the script using local admin rights.
Regards,
Eswar
Hi,
I followed process you mentioned. Applied baseline to a collection of 21 servers. In SCCMLocalGroupMembers.log files for all of those 21 servers I checked, I can see something similar to below
5/13/2018 6:20:00 PM - Script Started
5/13/2018 6:20:00 PM - Not a Domain Controller, Continuing
5/13/2018 6:20:00 PM - Cleaned cm_localgroupmembers, if it existed.
5/13/2018 6:20:00 PM - Found 24 Local Groups
5/13/2018 6:20:00 PM - Found a total of 19 Names within those 24 groups
5/13/2018 6:20:00 PM - Starting to populate cm_localgroupmembers
5/13/2018 6:20:00 PM - Completed populating cm_localgroupmembers
5/13/2018 6:20:00 PM - Script Finished
But all SQL queries are returning local groups and their members for only 1 server. I checked SQL views manually and they have data for only this one server. Its been more than a week since I configured it. Client inventory settings are set to run per day. Any idea?
Is the inventory extended in client settings correctly ? can you login to one of the client PC and see if there is any WMI namespace created and see cm_localgroupmembers ?
If the namespace exists in WMI,what does the inventoryagent.log tell you ? anything about this inventory information ?
Regards,
Eswar
Whenever i try to import the mof file into the client settings hardware inventory classes it errors:
The following classes for which you are trying to import settings do not exist. Import the required class definitions and then try to import the settings again. LocalGroupMembers (cm_LocalGroupMembers)
Do you have CAS ? Where are you importing the client settings ? Can you send screenshot if possible to see more.
Regards,
Eswar
Awesome report, thanks!
Is there a way to expand the groups? I mean, if i report a list of groups that are members of the local Administrators group, can I report the expanded users list? ex: instead of AD\GroupA, report shows UserA, UserB (which are the members of AD\GroupA). Thanks!
You can reply on SQL view that are discovered by AD system/security groups .
Regards,
Eswar
Check your link, the cab file is missing fromt the zip
Thanks for pointing it out. I have uploaded the cab file.
Regards,
Eswar
Hi Eswar,
I've deployed this with success in my environment, but at the time I did it, the option "disabled" was not active in the hardware inventory classes because we didn't need it. Now, my manager asked me for that info. I'v turned it on, waited for the next cycle, I can see the CI running in clients, but I still get the "NULL" on the db tablev_gs_localgroupmembers0.
What should I do? Deploy the baseline again?
Thank you so much for the info here, pure gold Sir.
Cheers!
If you have made any changes to the client agent settings ,it takes time for client to pick and load into wmi.
For compliance baseline ,you can try to trigger baseline on the client manually ,check if it is compliant ,if so ,try to run the inventory action ,monitor the results in inventoryagent.log and then on SCCM database.
if you have deployed the baseline onetime ,you will not get updated results . what this baseline does it ,when you run ,it pipe the information into wmi and inventory agent will pick this information and send it to site server.
Regards,
Eswar
Hi Eswar,
The link to the CAB files at http://eskonr.com/wp-content/uploads/2017/03/Local-Admin-BaselineMOF-file.zip is not working. Please check.
Jacques
Where did you get the link ? Try with this http://eskonr.com/wp-content/uploads/2017/03/SCCMLocalGroupMembers.zip
Regards,
Eswar
Hi Eswar, I am trying to download the configuration baseline cab from the link you provided here. http://eskonr.com/wp-content/uploads/2017/03/Local-Admin-BaselineMOF-file.zip. I get page error 404. Has the location been moved?
try with this link http://eskonr.com/wp-content/uploads/2017/03/SCCMLocalGroupMembers.zip .
Updated the post also with this link.
Regards,
Eswar
Thanks Eswar. Much appreciated!
try with this link http://eskonr.com/wp-content/uploads/2017/03/SCCMLocalGroupMembers.zip
Updated the post also with this link.
Regards,
Eswar
Thank you for the great work you do regarding SCCM... I do have a question as I am a bit lost..
After the baseline configuration shows as compliant, how do I retrieve that information whether by sql query or report in SCCM or other wise? I don't quite get your next step that says "Logging information by Script".. many thanks!!
Hi Erik,
SQL query is given in this blog post. http://eskonr.com/2017/03/sccm-configmgr-report-for-local-admins-and-local-group-members/ you can use this to customize your requirements.
Logging information by script means ,when the script run on the client, it will log the information into SCCMLocalGroupMembers.log in C:\windows\temp folder which is stated in the blog post as
"output of the script into SCCMLocalGroupMembers.log in C:\windows\temp folder:"
Regards,
Eswar
Where can I download localadmins.vbs?
Hi,
You can download the files from http://eskonr.com/wp-content/uploads/2017/03/SCCMLocalGroupMembers.zip or simply download the baseline and import into SCCM but dont forget to update mof files.
Regards,
Eswar
Hello Eswar,
thanks for your effort in this blog, very appreciated.
However, I was unable to locate the scripts for option
1) Get members of local administrators group ONLY (WIN32_localadmins)
Everything I found was related to option 2) Get members of all groups
Could you please have a look and re-add the scripts/files which are needed for option 1 ?
Many thanks
Christian
it looks like i did not added the script as solution 2 is most widely used and it provide lot of information . I am providing the script below for win32_localadmins. save it as .vbs .
On Error Resume Next
Dim wbemCimtypeString
wbemCimtypeString = 8
Set oLocation = CreateObject("WbemScripting.SWbemLocator")
Set oServices = oLocation.ConnectServer(,"root\cimv2")
set oNewObject = oServices.Get("WIN32_localadmins")
oNewObject.Delete_
' Create data class structure
Set oDataObject = oServices.Get
oDataObject.Path_.Class = "WIN32_localadmins"
oDataObject.Properties_.add "Account" , wbemCimtypeString
oDataObject.Properties_("Account").Qualifiers_.add "key" , True
oDataObject.Properties_.add "Domain" , wbemCimtypeString
oDataObject.Properties_.add "Type" , wbemCimtypeString
oDataObject.Properties_.add "Name" , wbemCimtypeString
oDataObject.Properties_("Name").Qualifiers_.add "key" , True
oDataObject.Put_
Dim objGroup, strComputer ,strUserPath ,arrUserBits ,wshNetwork ,Domain,Name , Type1
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
strComputer = wshNetwork.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Dim objMember
For Each objMember In objGroup.Members
strUserPath = Mid(objMember.aDSPath, 9)
arrUserBits = Split(strUserPath, "/")
If UBound(arrUserBits) = 2 Then
strUserPath = arrUserBits(1) & "/" & arrUserBits(2)
Else
strUserPath = arrUserBits(0) & "/" & arrUserBits(1)
End If
arrUserBits = Split(strUserPath, "/")
Domain = arrUserBits(0)
Name= arrUserBits(1)
If Domain = strComputer Then
Type1 = "Local"
Else
Type1 = "Domain"
End If
Set oNewObject = oServices.Get("WIN32_localadmins" ).SpawnInstance_
oNewObject.Type = Type1
oNewObject.Domain = Domain
oNewObject.Account = objMember.Class
oNewObject.Name = Name
oNewObject.Put_
Next
I am having a bit of trouble with this DCM script - I have imported and configured everything fine, and it actually works great within DCM. However some of the results are inconsistent - for example on a bunch of devices, the report is showing 5 members of the local admins, but the device actually has 19 members if you actually look inside the local Administrator group. Secondly if I view same devices in Resource Explorer I only see 5 members under the LocalMembers hardware inventory item. Third, the SCCMLocalGroupMembers.log does in fact tell me it found 19 members and populated the WMI namespace but still no luck.
Any things I can check to see why this is happening? Is it a possible WMI corruption or issue with WMI namespace being written to? Thank you!
Eswar - Ok will use the new MOF file (SCCMLocalGroupMembers.MOF) into ciient settings and see, if sql script will work.
Ram
Eswar,
Hoping this can find it's way to people that are running into troubles with this, or needing help with tweaks. I've just got through this myself.
One thing that I decided to do differently in my environment to get some real reporting back on my baseline was to change my CI a bit. I changed my discovery script to this because I wanted it to tell me if the WMI object exists on the machine running the CI:
Powershell Script:
$ClassInfo = Get-WMIObject CM_LocalGroupMembers -ErrorAction SilentlyContinue -ErrorVariable wmiclasserror
if ($wmiclasserror) { $ClassFound = 0 } else { $ClassFound = 1 }
$ClassFound
(sorry, would give a shout out if I remembered where I found this script - I just modified it for the WMI Object I was looking for)
Then, added the VBScript from Sherry as my remediation. One final thing to note - I did find that in order for the VBScript to run properly on Windows 10, I had to change the TempFolder (line 10 in the VBS script) to manually point to C:\Windows\Temp\, otherwise the logfile didn't want to show up for me, and the WMI objects never got created, even though the script should have been running.
Thanks!
Hi Chad,
thanks for your suggestion but what is the reason for using discovery script to check if cm_localgroupmembers exist or not ? No matter if wmi class exist or not ,if it doesn't exist ,script will create ,if exist, script will update the existing .Please note that ,script must run on schedule basis otherwise you wont get the changes that made on the client after the script run .You must pipe every time the local admin groups into wmi before you see updated info in SCCM.
Regards,
Eswar
Eswar,
The main reason is that I don't like running something if I don't need to. I'd rather not be running the script unless it needs to be run, and I don't need to run it if the WMI object exists. Also, this way I get a little reporting back and am able to easily see if the script is working properly or not right from the baseline without having to go look through the logfile that is created.
Thanks,
Chad
several ways to accomplish things depends on the needs.
Regards,
Eswar
Thanks!
But if you use Windows on another language?
what do you mean another language ?
Regards,
Eswar
I have several Operating system images languages. For examle: Russian, Italian, English and Germany
For example Russian OS, http://c2n.me/3IiMYpu
(sorry for my English)
i believe it should work. there is nothing specific to OS in the vbscript .It just simply collect the groups and users ,pipe into wmi and later hardware inventory agent collect the information, send it to SCCM.
Give a try on different OS and let me know the results.
Regards,
Eswar
Hi - I was testing this at home lab. All the configuration went well. When, I run SQL query it is successful but no details of users who are part of Local Admins group. The result from SQL query is blank. Not sure where, I am going wrong.
I have updated the MOF file . Please redownload the attachment ,import the MOF file into client settings ,it should work for you this time.
Regards,
Eswar
Hey, I've added the .MOF file to default client settings, added the .CAB file. Baseline is checking every hour.
Log file in windows\temp is OK.
checked via powershell in the WMI class cm_localgroupmembers and data is there.
did numerous of hardware inventories on my client.
But i don't get any data when i Query "v_gs_localgroupmembers0" ; it stays empty.
Am i missing something critical ?
did you check dataldr.log if the mof changes you made are successfully compiled ? if that has any errors or not.
Regards,
Eswar
I know this is an old post, however I am in the same predicament as Kim. I've check dataldr.log and no errors. I run my query and it's empty.
Hi,
Did you check the client logs if there are any entries in WMI for local group membership created?
Thanks,
Eswar