A client of mine started slowly but surely getting more and more of his staff to start using SCCM 2012 R2. I created some custom RBA for his team, but as soon as I left … it seemed that some of the guys got lazy and just started adding people into the administrators group … So some admins had access over stuff in SCCM that they really should be allowed to touch …
Long story short … some collections were deleted (by accident) and we needed to understand why and by whom. The guy wasnt in trouble, we just needed to identify who the admin was, so we can train them on how to manage collections correctly.
Now there are many ways of doing this … My client wanted the “easiest way possible” to see “who dun it” in SCCM.
So, there are actually some inbuilt reports in SCCM that will help with this issue. I used the status messages report in SCCM. You can view this report by clicking on Monitoring, expand Reports, Click on the Status Messages folder and select the first report called “All messages for a specific message ID”, right click and run this report.
Make sure you click on the Values button, and then see the table below and choose the relevant message ID to generate the report you need.
|30015||User “<>” created a collection named “Collection Name” (CollID)|
|30016||User “<>” modified the Collection Properties for a collection named “Collection Name” (CollID)|
|30017||User “<>” deleted a collection named “Collection Name” (CollID)|
|30104||User “<>” requested that the membership be refreshed for collection “Collection Name” (CollID)|
|30107||User “<>” requested that the CCRs be generated for collection “Collection Name” (CollID)|
|30066||User “<>” deleted a discovered resource named “ComputerName” ResourceID|
Using the message IDs above, you’ll be able to see which administrator made changes to collections/properties etc …