So, who exactly has access to the ConfigMgr admin console? This bit of PowerShell will generate a CSV report of each Active Directory user in each role/group*.
*Note: nested groups are not yet supported.
#.LINK https://github.com/ChadSimmons/Scripts/blob/default/ConfigMgr/Document/Get-MECMAdminConsoleUsers.ps1 $SiteCode = 'LAB' $SiteServer = 'CMPrimary.contoso.com' $ExportFile = 'C:\Data\Get-MECMAdminConsoleUsers.csv' Push-Location -Path "$SiteCode`:" $CMAdminUsers = Get-CMAdministrativeUser | Select-Object LogonName, IsGroup Pop-Location $CMAdminUserList = @() ForEach ($CMAdminUser in $CMAdminUsers) { Write-Output $CMAdminUser.LogonName If ($CMAdminUser.IsGroup -eq $true) { $CMAdminUserIDs = (Get-WmiObject -ComputerName $SiteServer -Namespace "root\SMS\site_$($SiteCode)" -Query "Select UniqueUserName from SMS_R_User where UserGroupName like `"$($CMAdminUser.LogonName.replace('\','\\'))`"").UniqueUserName } Else { $CMAdminUserIDs = (Get-WmiObject -ComputerName $SiteServer -Namespace "root\SMS\site_$($SiteCode)" -Query "Select * from SMS_R_User where UniqueUserName = `"$($CMAdminUser.LogonName.replace('\','\\'))`"").UniqueUserName } ForEach ($CMAdminUserID in $CMAdminUserIDs) { $CMAdminUserList += @(Get-WmiObject -ComputerName $SiteServer -Namespace "root\SMS\site_$($SiteCode)" -Query "Select * from SMS_R_User where UniqueUserName = `"$($CMAdminUserID.replace('\','\\'))`"" | Select-Object @{N = 'Group'; E = { $CMAdminUser.LogonName } }, UniqueUserName, ResourceID, ResourceType, UserName, Name, displayname, WindowsNTDomain, distinguishedName, FullDomainName, FullUserName, UserPrincipalName, mail, mobile, telephoneNumber, UserGroupName) } } $CMAdminUserList | Select-Object Group, UniqueUserName, ResourceID, ResourceType, UserName, Name, displayname, WindowsNTDomain, distinguishedName, FullDomainName, FullUserName, UserPrincipalName, mail, mobile, telephoneNumber | Export-Csv -Path "filesystem::$($ExportFile)" -NoTypeInformation
The latest code can be obtained from GitHub.
Report all ConfigMgr admin console users