All Members of All Local Groups inventory for ConfigMgr 2012

All Members of All Local Groups inventory for ConfigMgr 2012

Report on all users in all local groups using Configuration Manager 2012

This is an update to http://myitforum.com/cs2/blogs/skissinger/archive/2010/04/25/report-on-all-members-of-all-local-groups.aspx , which was written with ConfigMgr 2007 in mind.

Basically, take the attached file–> WMI Framework for Local Groups with Logging <–, and in your ConfigMgr 12 console, on Assets and Compliance, Compliance Settings, right-click on “Configuration Baseline” and Import Configuration Data… the .cab file.

Once imported, Deploy the Baseline to an appropriate collection.  I recommend potentially two different deployments:  one to all Workstations, and one to all Member Servers.  I.e., don’t even try to target your domain controllers.  The script is meant to skip a DC if it’s attempted, but it’s probably best not to tempt fate.

If this is the first time you’ve tried to get localgroupmembers, to get the information back, you’ll need a custom hardware inventory import.  If you’ve already cm_localgroupmembers in your hardware inventory rules, skip this.

Save the below as “localgroupmembers.mof”

#pragma deleteclass (“LocalGroupMembers”,NOFAIL)
[ SMS_Report     (TRUE),
  SMS_Group_Name ("LocalGroupMembers"),
  SMS_Class_ID   ("LocalGroupMembers") ]
class cm_LocalGroupMembers : SMS_Class_Template
{
    [SMS_Report (TRUE), key ] string Account;
    [SMS_Report (TRUE)      ] string Category;
    [SMS_Report (TRUE)      ] string Domain;
    [SMS_Report (TRUE), key ] string Name;
    [SMS_Report (TRUE)      ] string Type;
};

Then, in your console, Administration, Client Settings, right-click ‘Default Client Settings’, and go to properties.  Select Hardware Inventory, then on the right “Set Classes…”, then “Import…”  and browse to the ‘localgroupmembers.mof’ file you saved.

A couple of OKs, later… then it’s just sit and wait.  Remember, patience is a virtue.  Go get some lunch or a coffee break or something.  <grin>

If you want to confirm that the DCM is actually running, there’s two ways.

  1. on a client, in root\cimv2, check if cm_localgroupmembers actually created and populated?
  2. The script inside the .cab file is different slightly from the one on the 2010 blog entry.  It includes a log file which will drop into the SYSTEM’s temp folder, which is almost always %windir%\temp.  If it ran (or attempted to run) you should get a log file called “SCCMLocalGroupMembers.log”.  If having it drop a log file is bothersome for some reason (it may be–it depends upon you own company’s practices) open the ConfigItem, copy out the script, and edit it so that it no longer drops a log file.  test and put it back.  Remember, CI’s are versions now; so if you mess up you can always go back to an older version.
  3. “In general” the view will end up being v_gs_localgroupmembers0 ; so a select * from v_gs_localgroupmembers0 against your ConfigMgr Database should let you know if it’s being populated.  But there are of course exceptions to every rule.  you may have to browse through your views in your database to find the view if it’s not that specific one.

Shameless plugs so that this blog post filters up to the top on web searches:

How to get the users in the local Administrators group
Local Administrators group on workstations getting the accounts inside
How do I get the accounts inside the local Administrators group

There? did I miss some key words? 

email

Written by , Posted .
  • Amit Raja

    Hi Sherry,

    When i followed the steps above for sccm 2012 sp1 and import the .mof file i get the error saying

    “The following classes for which you are trying to import settings do not exist. Import the required class definitions and then try to import the settings again.”

    LocalGroupMembers (cm_LocalGroupMembers)

  • Amit Raja

    Hi Sherry,

    Ignore my previous query, my mistake was i tried it on primary site server instead of CAS server. now the error is resolved and the .mof file is imported successfully to CAS
    waiting for replication to other servers before testing the reports

  • Satyen

    Hi Sherry,

    Thanks a lot for this solution. It works perfectly fine.
    In my company we have SCCM 2012. The report works perfectly fine.
    But Kindly help me in editing the output (Report) to display only the members of the administrators group instead of displaying all the groups and its members.

  • Satyen

    We are also looking for adding the option to select a collection in this report. I tried this solution “http://it.peikkoluola.net/2013/06/02/report-with-a-selectable-collection-parameter-sql/#more-748″ but could not create the dataset as the instructions are not very clear. and I do not have any prior experience in creating a new data set.

    “You need to create additional Data Source, and set this query to produce results in that Data Source. The Support Parameter created previously will be used in this query.”

    Hope you can help me with this as well.