Summary:
Using SCCM to query the ConfigMgr database to find which clients a particular user had logged in to.
Issue:
A customer wanted to know a history of which clients on their estate a particular user had logged into in the last couple of days and cross reference their results from Active Directory against the information held within the SCCM database.
Resolution:
There are many ways to skin this particular cat but this seemed like a viable scenario to demo a how to query the ConfigMgr database to scan for instances of where this particular user had logged onto a client.
| Note: The date range you can query to depends on your data retention policy (how long you keep records in your CM database) |
Implementation:
- Open the SCCM (ConfigMgr) console
- Click the Monitoring tab
- Create new Query wizard
> Right click Queries
> Create Query
- General Query Settings
> Name: All Systems – Where user last logged on
> Comments: Brief description of what the query is for
> Click Edit Query Statement
- Query Statement
> Click Show Query Language
> Paste the following query into the Query StatementSELECT SMS_R_System.LastLogonUserName, SMS_R_System.Name, SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonTimestamp FROM SMS_R_System WHERE SMS_R_System.LastLogonUserName = ##PRM:SMS_R_System.LastLogonUserName##
> Click Ok
- Set your limiting collection
In a development environment it is not a major issue not setting a limiting collection as there are not many objects in the SCCM database.
However in production environments this is generally a bad idea as the wider the scope of your limiting collection the more tables will be queries in your SCCM database.
> Check limited to collection
> Click Browse
> Click Device Collections from the drop down menu on the top left
> Click All Systems (for dev environments, a smaller target collection would be preferable for testing)
> Click Ok
> Click Next - Summary
> Click Close - Test your new query
> Right click new query
> Click Run
- Username prompt
> Enter the username for the user you would like to query
> Click Ok
- You will be presented with the results of where a particular user logged in
Query Statement Explained
SELECT SMS_R_System.LastLogonUserName, SMS_R_System.Name, SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonTimestamp
The SELECT statement is used to decide what information you would like retrieved by the Query in this case the following:
| SMS_R_System.LastLogonUserName | Username for user you will search for |
| SMS_R_System.Name | Name of client |
| SMS_R_System.LastLogonUserDomain | Domain user logged into |
| SMS_R_System.LastLogonTimestamp | Timestamp |
You can use the query builder to add/remove fields to your preference.
FROM SMS_R_System
FROM statement indicates which table the information is stored in, in this case SMS_R_SYSTEM
WHERE SMS_R_System.LastLogonUserName = ##PRM:SMS_R_System.LastLogonUserName##
The WHERE statement is the condition by which results are filtered.
##PRM: ## will prompt the user to enter information, the message prompt and data type will match that of the field you have targeted.
In this case System.Resource.LastLogonUserName and data type text
You can also remove the WHERE statement all together and all records mentioned in the SELECT statement will be displayed.
SELECT SMS_R_System.LastLogonUserName, SMS_R_System.Name, SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonTimestamp FROM SMS_R_System
This will display all records for all users in the CM database and you can then filter on the results view using the search functionality in the SCCM console.
If your database is particularly large or if the search is going to be run more than a few times creating a query to perform the same filters would be preferable and require less resource to process.
ConfigMonkey.co.uk 
Nice!
Is it possible to show every instance a user logged on to machines during a time period rather than just the last logon? I imagine that logging that sort of data would be massive though 😦
LikeLike
Unfortunately I don’t think Sccm holds that kind of data for very long. You would be better off checking on your domain controllers for historical logging; dependant on your retention policy defining how far back those logs go. Another option could be to add a log on/log off script that captures the session or even delve the local event log.
If you have budget for a more enterprise solution there are many vendors such as uberAgent, controlUP, lakeside etc.. That specialise in this sort of data gathering. Another option may be to investigate on boarding your endpoints to Microsoft SCOM but this my end up being rather expensive depending on your license terms.
LikeLike
Would it be possible to build a quick powershell script that queries SCCM with list of know computer objects (ie, a script with ‘foreach $computer in $list’ …) that would output each said computer name and the last logged on user for each?
I’ve seen a couple examples so far, but no clear defined way of extracting just the information I need.
LikeLike
I would suggest you create a new collection of the devices you want to query then run the query against it rather than relying on interim text files or lists.
This has a couple of advantages:
1) it utilises native sccm and is dynamic, every time the query is run it will use the latest data set. No need to update text input files/variables.
2) you can automate collection membership with queries so you do not need to even maintain the membership to keep it relevant.
I will try and write something up later today to point you in the right direction.
Hope that helps
LikeLiked by 1 person
Thank you for the response. I ask this because my workplace uses a separate tool for querying computer warranty information, and this tool allows me to export to an excel spreadsheet. I was hoping to whip up a quick script that will allow me to import the ‘computer name’ column 1 by 1 into the SCCM query language to get ‘last logged on user’ information as well (that the other tool cannot generate). I really appreciate your time!
LikeLike
Check out this article hopefully it answers your query: https://configmonkey.wordpress.com/2017/10/05/sccm-20122016-query-sccm-to-find-clients-a-user-last-logged-in-to-using-powershell/
LikeLike
I would like to thank you for the efforts you have put in penning this site.
I really hople to see the same high-grade blog posts from yoou
later on as well. In truth, your creative writing abilities has motivated me to get my very own site now 😉
LikeLike
Thanks very much, appreciate it
LikeLike
Oh my goodness! Inhredible article dude! Thanks, However I
am going through issues with your RSS. I don’t know thhe reason why I can’t join it.
Is thre anyone else getting the same RSS
problems? Anyone that knows the solution will you kindly respond?
Thanx!!
LikeLike
Thanks for the feedback and the issues with the RSS feed. WordPress recently upgraded their platform something may well have gone awry.
LikeLike
Best SCCM resource site – Love your work
LikeLike