Tuesday, March 01, 2011 2:44 PMHello, I am having an issue with the Hardware 03A - Primary Computer Users report. I have completed both steps required for this to work:
1. Enable the SMS_SystemConsoleUsage class which polls the Security event log for information about all console usage.
2. Enable the auditing of Logon/Logoff policy (LOCAL Security Settings->Local Policies -> Audit Policy -> Audit Logon Events) to allow “Success” auditing.
However, I am finding very inconsistent results. Only 10-15% of my Users/Computers are getting populated in the report. It appears some users appear and some disappear from day to day. Anyone have any thoughts on why this might be happeing or have any more information to how this report works. I am using this information to import into my Service Manager environment so it makes this report crucial. Thanks!
Thursday, March 03, 2011 7:11 AMHello - If I would have in your place then I would start the troubleshooting from client side that the client is sending the accurate data or not?
Anoop C Nair
Thursday, March 03, 2011 7:37 AMModerator
I would :
· enable the auditing as a domain policy.
· check the size of you security logs.
· Review the console usage data, (Not Top Console but usage data)
Thursday, March 03, 2011 1:09 PM
Thanks for the replies! I have already enabled auditing as a domain policy and confirmed the policy is working. My security log size is 20 MB and it rolls over every 2-4 days. What are the requirements for the security logs? Where do I go to review console usage data? How do I confirm if client is sending accurate data or not (where and what do I look for)? Thx!
Thursday, March 03, 2011 4:10 PMModerator
How often do you do your HW inventory? Daily. This query will list the Top console user data.
select * from dbo.v_GS_SYSTEM_CONSOLE_USER
Thursday, March 03, 2011 7:14 PMGarth, I do my HW inventories nightly at 4 AM. I ran your query and it returns 244 results (which is signifcantly short). However, I have 330 systems in my site. My Hardware 03A report only returns 153 computers (it returns usernames, but only 153 systems are related across all the usernames it returns). Also, on a side note, all my servers all report the operations manager action account as their primary user (which isn't a huge deal since i care mostly about the workstations, but still curious to why and how I could even work around that). Thoughts? The report only needs one day of logs in the security log since I run the inventory nightly, correct?
Friday, March 04, 2011 12:27 AMModerator
Personally I would hardcode HW inv to 4 am but…
Find a PCs that is not listed with the report.
· Open Wbemtest as an administrator on that PC
· Connect to root\cimv2\sms
· Click Enum classes..
· Select sms_systemConsole_user
· Select Instances
· Is anything listed?
· If so force a Full inventory on the client, does the HW inventory show up?
Now you have an idea where it is broken.
Friday, March 04, 2011 1:55 PM
Thanks for the reply Garth! Do you mean you "wouldn't" hardcode or would? If not, how come?
I logged into a PC that is missing in the SCCM report and WMI returned my User Account (the one I just used to log into the machine). However, the end-user left themselves logged into their own PC all night long, but it doesn't report their username, but instead mine, who just logged in. I forced the Hardware Inventory and now it shows in the report, but under my username. Thoughts?
Friday, March 04, 2011 6:05 PMModerator
Yes, you are right, I wouldn't hardcode the HW scan time. Why because that can bring your site server to its knees!
No sure but look at it again next week and see the user is now listed.
Wednesday, March 16, 2011 3:30 PMGarth, I have been watching my reports and it seems to be getting better, but still some random stuff going on. The computer we tested above has changed its primary user 3 times (but only one user really uses the computer) and the person who owns the computer now doesn't even use the computer ever, it is really odd...any thoughts? I have increased the size of my security log to see if that makes a difference? Right now it rolls over every few days, maybe that is too fast? Thx!
Sunday, July 31, 2011 8:00 PMModerator
Yes I know this is an old post, I’m trying to clean up all un-answered post.
I don’t know why I missed you last post but… Did you look for duplicate GUIDS?, Did you figure this out, if so what was the results?
Monday, August 01, 2011 1:01 PMI don't really have any duplicate GUIDs anymore, I have cleaned them all up. It has gotten a lot better now. I modified logging so that a lot less things would be logged on client workstations, so that the security log wouldn't roll over too fast. That has made a big difference and I have about 90% accurate data now. I still have a few machines that flip flop owners, not really sure why; but increasing the longevity of the security log seems to have made a big difference. Thx!
Thursday, January 17, 2013 2:40 PM
I don't really have any duplicate GUIDs anymore, I have cleaned them all up. It has gotten a lot better now. I modified logging so that a lot less things would be logged on client workstations, so that the security log wouldn't roll over too fast. That has made a big difference and I have about 90% accurate data now. I still have a few machines that flip flop owners, not really sure why; but increasing the longevity of the security log seems to have made a big difference. Thx!
I'm having the same issue... Which security logs are you referring to? The client windows security logs? The SCCM Server security logs?
Thursday, January 17, 2013 2:44 PMModeratorThat would be the client sec logs.
Thursday, January 17, 2013 2:48 PMThey are already 75mb though, shouldn't that be more than enough?
Thursday, January 17, 2013 3:08 PMModerator
They are already 75mb though, shouldn't that be more than enough?
There is no way that I can answer that. You will have to look at one of the PCs in question to find out how quickly the sec logs are rolling over then compare that to your hardware inventory cycle.