~ Radu Tomoiaga | Support Engineer
Once in a while you may be facing an issue where you discover that some clients are missing in the Configuration Manager console and you’re not able to figure out what happened. You suspect that one of the ConfigMgr admins might have accidentally removed them but how can you figure out which one did what? Here are some tips and examples showing how you might be able to figure this out.
1. In this first option, we’re looking for a status message ID of 30066 or 30067. These mean that a user has either deleted a resource or all resources from a collection.
Using this, you might check Report nr. 91. This shows all audit messages for a specific user and shows the actions the user has done. This could be used to list all the activities a user has done which will contain the actions related to him or her deleting objects from a collection:
However in this case, this standard report may not be that useful since it will also contain a lot of unnecessary data and you will need to search for the 30066 or 30067 status Messages ID. What happens if you have a large number of ConfigMgr admins? You would need to generate the report for each user and check each one to see if they deleted something.
2. The second option is to use a query such as the one below to generate a report for each deletion that took place:
The result will look something like this:
Now the downside to this is that while you can see who deleted something, you can’t see what they deleted.
3. The third option is to use a status message query that lists these actions and generates a custom report. In this report we provide as input the object name that was deleted and we get in return the user that has deleted it. Here’s an example of what this report might look like:
The screen shots below show how the query is configured and the query itself is at the bottom:
Report for deleted objects based on user Input:
Prompts for user input:
The SQL query:
SELECT TOP (100) PERCENT dbo.v_StatMsgAttributes.AttributeValue AS 'User', dbo.v_StatusMessage.MessageID AS 'has deleted',
dbo.v_StatMsgInsStrings.InsStrValue AS 'this computer', dbo.v_StatusMessage.RecordID
FROM dbo.v_StatusMessage INNER JOIN
dbo.v_StatMsgInsStrings ON dbo.v_StatusMessage.RecordID = dbo.v_StatMsgInsStrings.RecordID INNER JOIN
dbo.v_StatMsgAttributes ON dbo.v_StatMsgInsStrings.RecordID = dbo.v_StatMsgAttributes.RecordID
WHERE (dbo.v_StatusMessage.MessageID = 30066) AND (dbo.v_StatMsgInsStrings.InsStrValue LIKE @variable) OR
(dbo.v_StatusMessage.MessageID = 30067)
ORDER BY 'this computer' DESC
When you run the report you will be prompted to provide a string which will be used for the search
You will get a result as in this screen capture:
If you want more info you can click the arrow and you will get this:
Hope this helps!
Radu Tomoiaga | Support Engineer | Microsoft
System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/