SCCM 2012 - Query Local Admin Users

Similar Messages

• GPO - 2012 - Enforce Local Admin Right

  Hello,
  Just wondered if there was a way to deploy a GPO to enforce local admin rights for individual endpoints.
  We need a way to control who has local admin rights to what, but in this case we need to say grant local admin rights to Users A, B and C on workstations D, E and F only. 
  Other than creating a GPO 'per workstation' I don't see a way.  DFL / FFL will be 2012.
  Anyone got any ideas?
  Thanks
  Stuart

  Hello
  Thank you for the reply.  This issue is a little hard to grasp and to explain clearly.  I understand what you have said, I am fairly proficient with Group Policy.
  I want to be able to give one single user, access to one single PC and control it centrally.  I think that is a better way of explaining it.  So if I have 100 PCs and 100 users, and say 20 of those users needs to have admin rights on their own
  PC only and not on other PCs. 
  That is what I am trying to accomplish.  If I great a security group called 'Desktop Admins' then link a GPO to an OU where the 100 PCs are, then security filter by the security group, then everytime I add in a user, they will get local admin rights
  to all 100 PCs.  However I only wanted to grant them local admin rights on one PC.  That being their PC.
  I want to manage this centrally rather than remotely assigning local ACLs.  I also like GPO because if a local admin user decides he/she wants to give their mate local admin rights on their PC, GPO will overwrite it.
  Hope that makes sense
  Much Appreciated

• IN NEED OF A SCCM 2012 QUERY THAT SHOWS LAST TIME SOFTWARE WAS USED OR OPENED

  Hello
  I am in need of an SCCM 2012 query that shows PCs that have Visio , Adobe Professional and Visual Studio and the last time each was used or opened. I have the query below which give me the PC name and the product. Any assistance will be very helpful
  select distinct SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  like "%adobe acrobat%pro%"
  select distinct SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  like "%visio%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%viewer%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%service pack%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%security
  update%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%hydra%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%update%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%MUI%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  not like "%amd%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%microsoft visio%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%vision%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%add-in%"
  select distinct SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  = "Microsoft Visual studio 2012 devenv" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%hotfix%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%security%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  not like "%update%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%service%"

  Did you create a software metering rule for each software title? if not then you need you do that first and it will take over a week before you see results.
  Also keep in mind that your query will only find x86 software titles.
  http://www.enhansoft.com/

• SCCM 2012 QUERY THAT SHOWS SOFTWARE INSTALLED AND LAST TIME IT WAS USED OR OPENED

  Hello
  I am in need of an SCCM 2012 query that shows PCs that have Visio , Adobe Professional and Visual Studio and the last time each was used or opened. I have the query below which give me the PC name and the product. Any assistance will be very helpful
  select distinct SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  like "%adobe acrobat%pro%"
  select distinct SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  like "%visio%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%viewer%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%service pack%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%security
  update%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%hydra%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%update%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%MUI%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  not like "%amd%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%microsoft visio%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%vision%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%add-in%"
  select distinct SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  = "Microsoft Visual studio 2012 devenv" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%hotfix%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%security%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName
  not like "%update%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%service%

  See me reply to your other post with the exact same details, in the CM07 forum.
  http://www.enhansoft.com/

• Photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin acc

  photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin access?

  Danny,
  Topic or subject titles should be clear, pertinent and concise so that individual users can tell at a glance if they can help or not.
  That field is not for attempting to fit your entire question in there.
  Please keep this in mind next time you post.  Thank you.

• Clients local admin user is managed - how can it be unmanaged

  Hi. I have a local user on all my client machines called admin with admin rights. Have had this same user with same password for many years for over 300 client machines from emacs to intel macs. With the 10.6.3-5 server update (major issues for the last6 months) with 10.6.2-5 intel imac clients, logging in as admin gives me a reduced dock. just finder and trash. Every use of any applications comes up with "you dont have permission to use the application "xyz". with 3 buttons Always Allow, Allow once and OK. entering admin and password always results in a second box with the same message. entering admin and password then allows me to use it. This behaviour does not happen on 10.5.8 clients and has never happened before.
  In system preferences it says administrator, admin is managed. clicking the lock and authenticating allows me to access the tick for Enable parental controls. If I click on the tick to remove it, it comes up with the message. "You cannot enable parental controls for an adminstrator account. Create a new user account etc." It is unticked but the tick comes back on restarting the system preferences and even restarting the computer immediately.
  I have tried deleting managed prefs etc but to no avail. I have tried removing the computer from the network account server and I get my dock back and can use applications but it still says I am a managed user. and I need the network account server for student logins. Any thoughts how to unmanaged local admin users on client machines to get back to the way it has been since 10.2.4 clients!!!

  Did you try creating a new admin user, and then using that new account to make the Change to unmanage your "admin" account?
  I don't think osx will let you create anaccount called admin these days, as security precaution. Perhaps that has something to do with your problem.

• Can local admin users override mcx?

  Can a local admin user override managed computer settings?  ie, the "automatically hide dock" is set to hide in mcx, but a local admin wants to "always show". 
  Is this possible?
  In another post, I found an interesting statement that might apply, but don't know where to do this:
  (https://discussions.apple.com/message/5781831?searchText=Is%20there%20a%20way%20 for%20local%20users%20to%20override%20mcx%20settings#5781831)
  "There's a Workgroup Manager Computer settings that allows admin users to turn off managed preferences. Be sure this is disabled."

  Hi Don,
  Thanks for your suggestions.
  I find these two helpful links [1211821 - How to determine what folders the TEMP and TEMP variables are set to |http://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes_boj/sdn_oss_boj_erq/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/scn_bosap/notes%7B6163636573733d36393736354636443646363436353344333933393338323636393736354637333631373036453646373436353733354636453735364436323635373233443330333033303331333233313331333833323331%7D.do] and [1215142 - Exporting to disk file defaults to the Temp folder |http://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes_boj/sdn_oss_boj_erq/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/scn_bosap/notes%7B6163636573733d36393736354636443646363436353344333933393338323636393736354637333631373036453646373436353733354636453735364436323635373233443330333033303331333233313335333133343332%7D.do]. I also check the folder permissions and find that non-admin has full control to it.
  And during create report, two files ~DFC500.tmp and ~DFC493.tmp are successfully created into TEMP folder, but the mentioned error still comes up.

• How to inner join attribuet from user with system resource on sccm 2012 query

  Hi , I am using SCCM 2012. Trying to create a WQL query to get list of computers with department name and netbios names,etc. these are in USER  and SYSTEM RESOURCE  object type seperately. The query wizard doesn't allow me to choose sytem
  resource and USER attribute at same time. In JOIN, the inner join also doesn't have SYSTEM RESOURCE attribute class for me to join it with USER attribute class. Any way to resolve this issue so that I can get a query as mentioned?
  I tried the wql below and pasted to my test query, it gave an error. I guess it's because that wql is on sccm2007.
  Please advise,thanks!
  http://social.technet.microsoft.com/Forums/en-US/8c47f069-5390-45bd-a619-5f5498947baa/sccm-query-which-joins-system-resource-and-user-resource?forum=configmgrgeneral
  http://social.technet.microsoft.com/Forums/en-US/8c47f069-5390-45bd-a619-5f5498947baa/sccm-query-which-joins-system-resource-and-user-resource?forum=configmgrgeneral
  Thanks and best regards, -- KF

  Hi,
  Try the suggestion by Garth Jones or post a new thread at
  http://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG
  I am not familiar with WQL, maybe you could get better help at the forum above.
  Juke Chou
  TechNet Community Support

• SCCM 2012 - Query

  Hi,
  I have primary SCCM 2012 SP1, SCCM database server and standalone reporting SQL server separately.
  1. I am trying to enable reporting service role in which it is detecting the primary database automatically. When i enter standalone reporting SQL server with instance name and i dont know what to enter in database name. I am getting an error while verifying.
  Is it possible to configure the reporting services role if the reporting SQL server is different from primary SCCM database
  2. I have a proxy server as per my understanding, i need to open WSUS user port 80 or 443 to connect to microsoft website to download the patches and client to WSUS is 8531 or 8532. Is this correct. Please correct me
  3. In SCCM 2012 SP1 requires computer account and installation account needs to be added as a local admin on the primary database and reporting SQL server database.
  4. I have MCAFEE antivirus enabled on all the servers. So for SCCM SQL replication is it fine to allow inbound rules for 1433 and 4022 on SQL service broker or i need to create exception for 1433 and 4022 on MCAFEE antivirus 
  Regards, Pratap

  1. I got some information, i think SQL reporting person hasnt created a data source to point to site database. Because of which when i run the reporting services role it is not detecting the reporting server instance. Do we have doc on how to create a data
  source. Hope this should be correct solution
  2. So what happens in case if i use default website for WSUS. Which port i should open in proxy
  3. But still component
  /hierarchy component shows a critical error stating account doesnt have proper privelege on site system (database)
  Regards, Pratap

• Need to Query Local Admin Group

  I wrote (copied) some PowerShell code that will add a Domain User to the Local Admin Group using ADSI.  
  $GuestPC = "WinNT://DOMAIN/UserName,user"
  $AdminGroup = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
  $AdminGroup.add($GuestPC)
  I want to add an If - Else statement to check if the Domain User is already in the Administrators group.  
  I found this code:
  $members = @($AdminGroup.psbase.Invoke("Members"))
  $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
  This code actually lists the members of the Administrators Group.  Maybe its early or I did not get enough sleep, but I cannot figure out how to just query the Administators group for $GuestPC and if it is there don't do anything, but if it is not there
  add it using the above code.  
  Something easy for someone out there I hope?
  Matt
  Matt Dillon

  Finally found the answer on Google.  Just need to add -cnotcontains "GuestPC" in side a If-Then
  Matt Dillon

• How to reset local admin user password in

  Dear members,
  i want to reset local admin account(not administrator built-in), let say i have user adminlocal and member in administrator group. my question, how to reset this user via GPO in domain, because i have more than 5000 workstation in my environment. and how to
  generate summary of all workstation which are password reset.
  i've tried from this link,
  http://community.spiceworks.com/how_to/show/1966-how-to-change-local-user-or-admin-passwords-on-remote-computers
  using PSTools sysinternal from microsoft, but while i execute one PC on domain for sample using this script, they showing access denied
  anyone in this forum can help me to resolve this problem?.

  Dear,
  you can use Powershell to do this.
  I've found a script in the script center which can do this.
  http://gallery.technet.microsoft.com/scriptcenter/66a5b38f-cdf1-4126-aa0c-be65e16dd650/view/Discussions#content
  Set-Password -computer 'server' -user 'Administratorlocal' 
  You can create a loop in powershell to check all your servers which you've posted in a .txt file for example.
  $strcomputers = Get-Content c:\servers.txt
  foreach ($strcomputer in $strcomputers)
  $admin=[adsi]("WinNT://" + $strComputer + "/administratorlocal, user")
  $admin.psbase.invoke("SetPassword", "Whatever1")

• Sccm 2012 query self encrypting drives

  I have SCCM 2012 SP1,   does anyone know of a way to query a collection, for self encrypting drives?   All I really need  to know is; of my "laptop" collection,  which ones have Self Encrypting Drives.

  For BitLocker you can use the following:
  http://mssnet.wordpress.com/2012/07/25/bitlocker-reporting-in-configuration-manager-2012-8/
  Cheers
  Paul | sccmentor.wordpress.com

• SCCM 2012 R2 CU2 Admin Console Connects But Closes In A Few Seconds

  I built a new SCCM 2012 R2 CU2 suite on Server 2012 R2. There are four servers: site server, secondary DP, WSUS/SUP, and a SQL server. On the first three the SCCM Admin Console will open. But when logged into the SQL server, the Admin Console opens
  for a couple seconds, then closes. The SQL box can connect via wbemtest to
  \\server\root\sms\site_ABC. I have checked all the items that show on the screen when your console won't connect. There are  no errors in the smsprovl.log on the site server. I think this problem is on the SQL server.
  This is one of three problems I've had a lot of difficulty with on this network. I'm making separate threads for all three
  Ben JohnsonWY

  I have been able to verify this problem generates 4 entries in Event Viewer/System logs. In the order they get generated by first in time:
  1st - A fatal error was generated and sent to a remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 43. The Windows Schannel error state is 552.
  2nd - The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting was (the IP of the SQL server). The
  SSL connection request has failed. The attached data contains the server certificate.
  3rd - DCOM was unable to communicate with the server servername.fqdn using any of the configured protocols; requested by PID 3cb8 (C:Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe)
  4th - an exact repeat of the 3rd entry.
  Ben JohnsonWY

• Deny local admin users from logging on (or at least restrict them)

  I have a fully managed environment (AD authentication, using managed preferences from OD) that I am testing before rollout.
  My concern is that once preferences are managed, admin users will be able to create local admin accounts (I can't block the accounts pane otherwise users will not be able to change their passwords), then login and bypass preference management.
  Is there a way for local admin accounts logging on to inherit a default set of preferences that are only applied when a local account (or someone not in one of my directory groups) logs in, or better still - DENY local admins from logging in, or deny anyone from being able to create new local accounts?
  (Please don't suggest denying the users admin rights - it's not possible for political reasons).
  Many thanks in advance!
  FZ.

  There is no root or admin privilege that controls root or admin privilege. You have it, or you don't.
  I've been in exactly this case many years ago, and with replete with the politics of privileges and perceived prestige.
  I ended up documenting the foibles of the privileged folks and the time spent on recovery and restoration and related for each event, and waiting for a sufficient accumulation of same (and that didn't take very long), and I then preemptively yanked the access.
  Yes, the good folks squawked. Loudly. Yes, I got called onto the carpet.
  The Designated Responsible Individual (DRI) was then left to ruminate and make a decision, and (with the assistance of the foibles-related documentation around the efforts and time and costs) made the call. The proffered alternative (with the costs and the design and time estimates ready) with a private subnet or private LAN and private services and and a dedicated firewall configured between the privileged folks and the production LANs to keep the good folks safe and secure. Here's what that'll cost...
  Either way, you've punted the responsibility and the decision up the management chain to the DRI.
  (Oh, wait, did I mention which way that firewall was going to be facing? No? Oops. Bummer.)

• SCCM 2012 Security to allow users to add resource to a collection

  Hi,
  I need to permission IT Support staff so they are able to add computers to certain collections in SCCM 2012. I created a new Role and assigned the following permissions under "Collection"
  Read, Modify, Modify Resource, delete resource, read resource, Modify Collection setting, read AMT.
  Also allowed read at site level.
  Users are still unable to add computers to a collection ? Any ideas why ?
  I did read a previous post which said something about also having to permission users to the limiting collection but this doesnt make sense, and sounds insecure.
  Thanks

  Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question.
  Create a new collection that is a copy of your collection limiting collection mentioned above.
  Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection.
  Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection.
  Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget
  to add your security scope.
  Apply the changes and test - don't forget to restart the console of your test account.
  This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish.  It does NOT allow modify on the limiting collection. And it separates the specific collections
  you tag as being modifiable by the specified group.
  We had the same issue in our environment - need a specific group to be able to Add Resource to a single specific collection which was being limited by the All Workstations collection.  Allowing modify to the All Workstations collection allowed modifications
  to any collection limited by All Workstations. So I came up with the solution above, tested against my test accounts and it works as I needed.
  Hopefully this will solve your issue and give you some options going forward.