Inventory of Missing and Disabled Configuration Manager Users
I wrote the following script to inventory the administrative users of my Configuration Manager (SCCM) environment as they relate to Active Directory. The end result is a list of users who no longer exist in Active Directory, users who are in Active Directory but disabled, and users who are granted rights in multiple ways (e.g. directly and through some groups).
There is some sample code on how to then remove them, but I urge you to run this in a test environment first and never trust random code you find online in your production environment until you've fully vetted it.
1# Site configuration
2$SiteCode = "YOUR_SITE_CODE_HERE" # Site code
3$ProviderMachineName = "YOUR_SMS_SERVER_HERE" # SMS Provider machine name
4
5Write-Host "Importing Required Modules"
6
7# Import the ConfigurationManager.psd1 module
8if((Get-Module ConfigurationManager) -eq $null) {
9 Write-Host "Importing ConfigurationManager.psd1"
10 Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -ErrorAction Stop
11}
12
13# Import the ActiveDirectory Module
14if((Get-Module ActiveDirectory) -eq $null) {
15 Write-Host "Importing ActiveDirectory Module"
16 Import-Module ActiveDirectory -ErrorAction Stop
17}
18
19Write-Host "Connecting to SCCM"
20
21# Connect to the site's drive if it is not already present
22if((Get-PSDrive -Name $SiteCode -PSProvider CMSite -ErrorAction SilentlyContinue) -eq $null) {
23 New-PSDrive -Name $SiteCode -PSProvider CMSite -Root $ProviderMachineName @initParams
24}
25
26# Set the current location to be the site code.
27Set-Location "$($SiteCode):\"
28
29Write-Host "Getting List of Administrative Users"
30$cmUsers = Get-CMAdministrativeUser
31
32Write-Host "Gathering Data on Administrative Users"
33$userData = @()
34$userCount = $cmUsers.count
35$index = 0
36
37ForEach($user in $cmUsers) {
38
39 $index++
40 Write-Progress -Activity "Gathering Information on Configuration Manager Users" -Status "Processing $($user.DistinguishedName) - $index/$userCount" -PercentComplete $($index/$userCount*100)
41
42 If($user.IsGroup -eq $false) {
43 $thisUser = New-Object -TypeName PSObject
44 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name DistinguishedName -Value $user.DistinguishedName
45 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name SID -Value $user.AdminSid
46 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name CMID -Value $user.AdminId
47 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name Source -Value "Direct"
48 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name RoleNames -Value $user.RoleNames
49 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name Permissions -Value $user.Permissions
50 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name ADAccountStatus -Value ""
51 $userData += $thisUser
52 } else {
53 $groupMembers = Get-ADGroupMember $($user.AdminSid) -Recursive
54 ForEach($member in $groupMembers) {
55 $thisUser = New-Object -TypeName PSObject
56 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name DistinguishedName -Value $member.distinguishedName
57 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name CMID -Value ""
58 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name SID -Value $member.SID
59 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name Source -Value "MemberOf $($user.distinguishedName)"
60 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name RoleNames -Value $user.RoleNames
61 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name Permissions -Value $user.Permissions
62 Add-Member -InputObject $thisUser -MemberType NoteProperty -Name ADAccountStatus -Value ""
63 $userData += $thisUser
64 }
65 }
66}
67
68Write-Progress -Activity "Gathering Information on Configuration Manager Users" -Complete
69
70Write-Host "Collecting Active Directory Data on CM User List"
71
72$userDataUnique = $userData | Select -ExpandProperty SID -Unique
73
74ForEach($sid in $userDataUnique) {
75 $status = "N/A"
76 Try {
77 $adUser = Get-ADUser $sid -Properties Enabled,LastLogonDate -ErrorAction SilentlyContinue
78 if($adUser.Enabled) {
79 $status = "Enabled"
80 } else {
81 $status = "Disabled"
82 }
83 } Catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
84 $status = "Missing"
85 }
86
87 If($status -eq "Missing") {
88 Try {
89 $adUser = Get-ADComputer $sid -Properties Enabled,LastLogonDate -ErrorAction SilentlyContinue
90 if($adUser.Enabled) {
91 $status = "Enabled"
92 } else {
93 $status = "Disabled"
94 }
95 } Catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
96 $status = "Missing"
97 }
98 }
99
100 ForEach($user in $userData | Where-Object { $_.SID -eq $sid }) {
101 $user.ADAccountStatus = $status
102 }
103}
104
105
106# ------------------------------------------------------------------------------------------------------------
107
108$reportMissingUsers = $userData | Where-Object { $_.ADAccountStatus -eq "Missing" }
109$reportDisabledUsers = $userData | Where-Object { $_.ADAccountStatus -eq "Disabled" }
110$reportDuplicateUsers = $userData | Where-Object { $_.DistinguishedName -in $($userData | Group-Object DistinguishedName | Where-Object { $_.Count -gt 1 }).Name } | Sort-Object DistinguishedName
111
112<#
113 --- Report out on the various user collections
114 $reportMissingUsers | Format-Table -AutoSize
115 $reportDisabledUsers | Format-Table -AutoSize
116 $reportDuplicateUsers | Format-Table -AutoSize
117#>
118
119<#
120 --- Sample: Outputting to XML
121 [xml]($reportMissingUsers | ConvertTo-Xml).Save("C:\temp\CMDeletedFromAD.xml")
122 [xml]($reportDisabledUsers | ConvertTo-Xml).Save("C:\temp\CMDisabledAD.xml")
123#>
124
125
126<#
127 --- Remove CM users missing from Active Directory
128 --- *** WARNING THIS IS DESTRUCTIVE - RUN IN TEST ENVIRONMENT ***
129
130 ForEach($user in $reportMissingUsers) {
131 Write-Host "Removing User $($user.DistinguishedName)"
132 Get-CMAdministrativeUser -Id $user.CMID | Remove-CMAdministrativeUser -Force
133 }
134
135 ForEach($user in $reportDisabledusers) {
136 Write-Host "Removing User $($user.DistinguishedName)"
137 Get-CMAdministrativeUser -Id $user.CMID | Remove-CMAdministrativeUser -Force
138 }
139
140 --- *** WARNING THIS IS DESTRUCTIVE - RUN IN TEST ENVIRONMENT ***
141
142#>
143
No comments