Here’s how you can check what your SCCM admin is up to.
Open the ‘Monitoring’ tab in SCCM console and find ‘Administration Activity Log’
The next step is to run it and find that most likely the report is empty.
Fear not, this is quite normal–despite the ‘Administrative Activity Log’ name, this report has almost nothing to do with administration as the purpose of it is to show changes in SCCM permissions within the console (and a few other uninteresting things).
An example of an action that appears in this report is any change to ‘Security Scopes.’ If your SCCM permissions are segmented for say ‘helpdesk scope’ and ‘admin scope,’ an admin making changes to ‘helpdesk’ IS going to log here.
Reports that Actually Give You Data
The place we actually need to look at is ‘Monitoring’ -> ‘System Status’ –> ‘All Status Messages’
Running the report will show you all sorts of interesting info, such as who deleted a package. I just removed an old task sequence and sure enough this event is evident in the log within seconds.
‘All Status Messages’ is extremely chatty so if you are looking at filtering out this data more you can run ‘All Audit Status Messages for a Sepecific User’ instead.
In order to capture actions by All Admins you can use ‘All Audit Status Messages from a Specific Site’.
Other Useful Auditing Reports
Three more useful reports, which I happen to run all the time, all relate to Packages, Programs, and Deployments: When getting a call from a customer, instead of going through the usual exchange of ‘did you change anything?’ my first step is to go right into the reporting and check what changes have been made, because of course there were changes.
All these reports work the same way: Specify time period and just run it.
Another Option for Audit Reports
Applications has a ‘Last Modified by’ feature visible in the interface even to the users without ‘Reporting’ or ‘Monitoring’ tabs in SCCM. This isn’t particularly useful for anything else other than making sure your Application has not been changed. Furthermore, all changes here are reflected in the logs we discussed previously.
There are many, many other ways to get this info and more of this sort of info, such as creating report subscriptions that can alert you via email every time a change such as the deletion or modification of a production package is made. All the ‘queries’ (these aren’t really reports) are items I happen to use on almost every engagement involving package / application / task sequence build.