locked
Audit for Distribution Point installation RRS feed

  • Question

  • Hi All,

    We have huge SCCM environment and we need to delegate DP install and configure rights to some of the IT users.

    For doing this we have give rights to modify site to the users. Now our concern is how can we check who has created and deleted the DP server. 

    Tuesday, October 13, 2015 3:19 PM

Answers

  • Hi

    Check the "status filter rule" of Audit messages is enabled in the site server.

    If it enabled, you can view the Audit message in the SSRS report.

    Else if the information needs to update in the event viewer enable the  "Report to the Event Log" option.

    Example :

    Creation   of Distribution point Group Information SMS Provider 40400 Microsoft.ConfigurationManagement.exe On 17-08-15   16:45:50, component Microsoft.ConfigurationManagement.exe on computer   CSKSCCM001.CSK.in reported:  User   "CSK\SCCADMIN" created Distribution Point Group "Test".
    Adding the collection to the Distribution point group Information SMS   Provider 40407 Microsoft.ConfigurationManagement.exe On   17-08-15 16:47:31, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" associated one or more collections to   the Distribution Point Group "Test".
    Removing the collection from the distribution point group Information SMS   Provider 40408 Microsoft.ConfigurationManagement.exe On   17-08-15 16:48:22, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" removed one or more collections   associated with the Distribution Point Group "Test".
    Additing the Distribution point to the Distribution point groups Information SMS   Provider 40405 Microsoft.ConfigurationManagement.exe On   17-08-15 16:48:51, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" added one or more distribution points to   the Distribution Point Group "Test".
    Removing the Distribution point to the Distribution point groups Information SMS   Provider 40406 Microsoft.ConfigurationManagement.exe On   17-08-15 16:50:18, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" removed one or more distribution points   from the Distribution Point Group "Test".
    Updating the settings in the Distribution point group Information SMS   Provider 40401 Microsoft.ConfigurationManagement.exe On   17-08-15 16:51:25, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" modified Distribution Point Group   "Test".
    Deletion of Distribution point group Information SMS   Provider   Microsoft.ConfigurationManagement.exe On   17-08-15 16:52:45, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" deleted Distribution Point Group   "Test".


    Regards, kanna

    • Proposed as answer by Kannan CS Tuesday, October 13, 2015 6:50 PM
    • Marked as answer by Joyce L Tuesday, November 3, 2015 9:49 AM
    Tuesday, October 13, 2015 6:49 PM

All replies

  • Have you looked at the audit message yet?

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Tuesday, October 13, 2015 4:19 PM
  • Hi

    Check the "status filter rule" of Audit messages is enabled in the site server.

    If it enabled, you can view the Audit message in the SSRS report.

    Else if the information needs to update in the event viewer enable the  "Report to the Event Log" option.

    Example :

    Creation   of Distribution point Group Information SMS Provider 40400 Microsoft.ConfigurationManagement.exe On 17-08-15   16:45:50, component Microsoft.ConfigurationManagement.exe on computer   CSKSCCM001.CSK.in reported:  User   "CSK\SCCADMIN" created Distribution Point Group "Test".
    Adding the collection to the Distribution point group Information SMS   Provider 40407 Microsoft.ConfigurationManagement.exe On   17-08-15 16:47:31, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" associated one or more collections to   the Distribution Point Group "Test".
    Removing the collection from the distribution point group Information SMS   Provider 40408 Microsoft.ConfigurationManagement.exe On   17-08-15 16:48:22, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" removed one or more collections   associated with the Distribution Point Group "Test".
    Additing the Distribution point to the Distribution point groups Information SMS   Provider 40405 Microsoft.ConfigurationManagement.exe On   17-08-15 16:48:51, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" added one or more distribution points to   the Distribution Point Group "Test".
    Removing the Distribution point to the Distribution point groups Information SMS   Provider 40406 Microsoft.ConfigurationManagement.exe On   17-08-15 16:50:18, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" removed one or more distribution points   from the Distribution Point Group "Test".
    Updating the settings in the Distribution point group Information SMS   Provider 40401 Microsoft.ConfigurationManagement.exe On   17-08-15 16:51:25, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" modified Distribution Point Group   "Test".
    Deletion of Distribution point group Information SMS   Provider   Microsoft.ConfigurationManagement.exe On   17-08-15 16:52:45, component Microsoft.ConfigurationManagement.exe on   computer CSKSCCM001.CSK.in reported:    User "CSK\SCCADMIN" deleted Distribution Point Group   "Test".


    Regards, kanna

    • Proposed as answer by Kannan CS Tuesday, October 13, 2015 6:50 PM
    • Marked as answer by Joyce L Tuesday, November 3, 2015 9:49 AM
    Tuesday, October 13, 2015 6:49 PM