How to determine who deleted what objects in the Configuration Manager console

How to determine who deleted what objects in the Configuration Manager console

  • Comments 2
  • Likes

~ Radu Tomoiaga | Support Engineer

Tools[5]Once in a while you may be facing an issue where you discover that some clients are missing in the Configuration Manager console and you’re not able to figure out what happened. You suspect that one of the ConfigMgr admins might have accidentally removed them but how can you figure out which one did what? Here are some tips and examples showing how you might be able to figure this out.

1. In this first option, we’re looking for a status message ID of 30066 or 30067. These mean that a user has either deleted a resource or all resources from a collection.

image

Using this, you might check Report nr. 91. This shows all audit messages for a specific user and shows the actions the user has done. This could be used to list all the activities a user has done which will contain the actions related to him or her deleting objects from a collection:

image

However in this case, this standard report may not be that useful since it will also contain a lot of unnecessary data and you will need to search for the 30066 or 30067 status Messages ID. What happens if you have a large number of ConfigMgr admins? You would need to generate the report for each user and check each one to see if  they deleted something.

2. The second option is to use a query such as the one below to generate a report for each deletion that took place:

image

The result will look something like this:

image

Now the downside to this is that while you can see who deleted something, you can’t see what they deleted.

3. The third option is to use a status message query that lists these actions and generates a custom report. In this report we provide as input the object name that was deleted and we get in return the user that has deleted it. Here’s an example of what this report might look like:

clip_image008

The screen shots below show how the query is configured and the query itself is at the bottom:

Report for deleted objects based on user Input:

clip_image010

 

clip_image012

Prompts for user input:

clip_image014

The SQL query:

clip_image016

SELECT     TOP (100) PERCENT dbo.v_StatMsgAttributes.AttributeValue AS 'User', dbo.v_StatusMessage.MessageID AS 'has deleted',
                      dbo.v_StatMsgInsStrings.InsStrValue AS 'this computer', dbo.v_StatusMessage.RecordID
FROM         dbo.v_StatusMessage INNER JOIN
                      dbo.v_StatMsgInsStrings ON dbo.v_StatusMessage.RecordID = dbo.v_StatMsgInsStrings.RecordID INNER JOIN
                      dbo.v_StatMsgAttributes ON dbo.v_StatMsgInsStrings.RecordID = dbo.v_StatMsgAttributes.RecordID
WHERE     (dbo.v_StatusMessage.MessageID = 30066) AND (dbo.v_StatMsgInsStrings.InsStrValue LIKE @variable) OR
                      (dbo.v_StatusMessage.MessageID = 30067)
ORDER BY 'this computer' DESC

When you run the report you will be prompted to provide a string which will be used for the search

clip_image018

You will get a result as in this screen capture:

clip_image020

If you want more info you can click the arrow and you will get this:

clip_image022

Hope this helps!

Radu Tomoiaga | Support Engineer | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanx this will be extremely helpful to me.

  • Thanks for sharing Radu! - is there a handy reference for ConfigMgr 2012 status message ids?