Report on all users in all local groups using Configuration Manager 2012
This is an update to http://myitforum.com/cs2/blogs/skissinger/archive/2010/04/25/report-on-all-members-of-all-local-groups.aspx , which was written with ConfigMgr 2007 in mind.
Basically, take the attached file–> WMI Framework for Local Groups with Logging <–, and in your ConfigMgr 12 console, on Assets and Compliance, Compliance Settings, right-click on “Configuration Baseline” and Import Configuration Data… the .cab file.
Once imported, Deploy the Baseline to an appropriate collection. I recommend potentially two different deployments: one to all Workstations, and one to all Member Servers. I.e., don’t even try to target your domain controllers. The script is meant to skip a DC if it’s attempted, but it’s probably best not to tempt fate.
If this is the first time you’ve tried to get localgroupmembers, to get the information back, you’ll need a custom hardware inventory import. If you’ve already cm_localgroupmembers in your hardware inventory rules, skip this.
Save the below as “localgroupmembers.mof”
#pragma deleteclass (“LocalGroupMembers”,NOFAIL)
[ SMS_Report (TRUE),
SMS_Class_ID (“LocalGroupMembers”) ]
class cm_LocalGroupMembers : SMS_Class_Template
[SMS_Report (TRUE), key ] string Account;
[SMS_Report (TRUE) ] string Category;
[SMS_Report (TRUE) ] string Domain;
[SMS_Report (TRUE), key ] string Name;
[SMS_Report (TRUE) ] string Type;
Then, in your console, Administration, Client Settings, right-click ‘Default Client Settings’, and go to properties. Select Hardware Inventory, then on the right “Set Classes…”, then “Import…” and browse to the ‘localgroupmembers.mof’ file you saved.
A couple of OKs, later… then it’s just sit and wait. Remember, patience is a virtue. Go get some lunch or a coffee break or something. <grin>
If you want to confirm that the DCM is actually running, there’s two ways.
- on a client, in root\cimv2, check if cm_localgroupmembers actually created and populated?
- The script inside the .cab file is different slightly from the one on the 2010 blog entry. It includes a log file which will drop into the SYSTEM’s temp folder, which is almost always %windir%\temp. If it ran (or attempted to run) you should get a log file called “SCCMLocalGroupMembers.log”. If having it drop a log file is bothersome for some reason (it may be–it depends upon you own company’s practices) open the ConfigItem, copy out the script, and edit it so that it no longer drops a log file. test and put it back. Remember, CI’s are versions now; so if you mess up you can always go back to an older version.
- “In general” the view will end up being v_gs_localgroupmembers0 ; so a select * from v_gs_localgroupmembers0 against your ConfigMgr Database should let you know if it’s being populated. But there are of course exceptions to every rule. you may have to browse through your views in your database to find the view if it’s not that specific one.
Shameless plugs so that this blog post filters up to the top on web searches:
How to get the users in the local Administrators group
Local Administrators group on workstations getting the accounts inside
How do I get the accounts inside the local Administrators group
There? did I miss some key words?