Auditing Admin Actions in SCCM Console

SCCM Last modified by Application

Here’s how you can check what your SCCM admin is up to.

Open the ‘Monitoring’ tab in SCCM console and find ‘Administration Activity Log’

SCCM Administration Activity Log

The next step is to run it and find that most likely the report is empty.

Gotcha!

Fear not, this is quite normal–despite the ‘Administrative Activity Log’ name, this report has almost nothing to do with administration as the purpose of it is to show changes in SCCM permissions within the console (and a few other uninteresting things).

An example of an action that appears in this report is any change to ‘Security Scopes.’ If your SCCM permissions are segmented for say ‘helpdesk scope’ and ‘admin scope,’ an admin making changes to ‘helpdesk’ IS going to log here.

Reports that Actually Give You Data

The place we actually need to look at is ‘Monitoring’ -> ‘System Status’ –> ‘All Status Messages’

All Status Messages

Running the report will show you all sorts of interesting info, such as who deleted a package. I just removed an old task sequence and sure enough this event is evident in the log within seconds.

SCCM Admin log deleted package

‘All Status Messages’ is extremely chatty so if you are looking at filtering out this data more you can run ‘All Audit Status Messages for a Sepecific User’ instead.

Status Messages by User

In order to capture actions by All Admins you can use ‘All Audit Status Messages from a Specific Site’.

SCCM Status Messages by Site

Other Useful Auditing Reports

Three more useful reports, which I happen to run all the time, all relate to Packages, Programs, and Deployments: When getting a call from a customer, instead of going through the usual exchange of ‘did you change anything?’ my first step is to go right into the reporting and check what changes have been made, because of course there were changes.

track SCCM changes to packages, programs, deployments

All these reports work the same way: Specify time period and just run it.

SCCM packages audit

Another Option for Audit Reports

Applications has a ‘Last Modified by’ feature visible in the interface even to the users without ‘Reporting’ or ‘Monitoring’ tabs in SCCM. This isn’t particularly useful for anything else other than making sure your Application has not been changed. Furthermore, all changes here are reflected in the logs we discussed previously.

SCCM Last modified by Application

Final Words

There are many, many other ways to get this info and more of this sort of info, such as creating report subscriptions that can alert you via email every time a change such as the deletion or modification of a production package is made. All the ‘queries’ (these aren’t really reports) are items I happen to use on almost every engagement involving package / application / task sequence build.

JacobR, PEI

 

Leave a Reply

PEI logo

GET EXCLUSIVE ACCESS!

Get the latest tech industry news and trends, event notifications, special offers, and access to our free video resource library!

You have Successfully Subscribed!