none
Investigating removal of members from a User Collection RRS feed

  • 问题

  • Hi All,

    We've recently noticed a drastic drop (about 500) in members of a specific User Collection which is entirely made up of Direct rules. (i.e. each member is manually added or removed). 

    I'm trying to investigate the bulk removal of members against the above Collection. While checking Status Message queries they've helped only to an extent. (the ones below)

    1- Collections Created, Modified, or Deleted

    2- All Status Messages for a Specific Collection at a Specific Site

    Both the above items render only the date and the user who has modified the Collection. But doesn't indicate any detail on what operation was performed. Like how many members were removed or added? Hence this is still unclear.

    3- Collection Member Resources Manually Deleted

    This item shows all the delete operation but doesn't point it to any specific Collection. So there isn't a way to match or correlate to the specific Collection in question.

    Is there any way to achieve the above requirement I'm looking for?? 

    One other possibility we're examining is if any maintenance task had removed users from SCCM (beyond 90 days of inactivity) but this is highly unlikely to happen for 500 users at the same time. Either ways looking for some audit detail, please. 

    Do correct me accordingly. Thanks in advance.

     


    SamSV

    2020年7月6日 8:02

全部回复

  • Hi,

    Thanks for posting in TechNet.

    Collection Member Resources Manually Deleted

    In my test, this status message queries could show the collection which was deleted. Kindly test it again.

    We could refer to the following screenshot:


    Thanks for your time.

    Best regards,
    Amanda You


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    2020年7月7日 2:43
  • Hi Amanda, Thank You very much for getting back. Surprisingly the same report is giving me different entries with Message ID 30066 where it lists the User 'Domain\Username' deleted a discovered resource named 'Machine.Domainname.com'. But there is no reference to the Collection itself and no Message ID showing 30067 like in your case. Can you please let me know the SCCM version you're using? Ours is 1906. Will try to upload a screen shot too.

    SamSV

    2020年7月8日 8:08

  • SamSV

    2020年7月8日 8:09
  • Hi,

    Thanks for your reply.

    The version i used is 2002. Here is the screenshot:

    Thanks for your time.

    Best regards,
    Amanda You


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2020年7月8日 8:51
  • Thanks Amanda.

    On a closer look, this entry seems to be recorded only if ALL the resources that belong to a Collection are deleted. And that doesn't seem to be the case in our scenario. Rather a significant no. of resources were deleted and the entry with ID 30066 as shown in the below screenshot does not reflect the Collection Name. Please confirm if that's the same behaviour in your environment.


    SamSV

    2020年7月8日 11:03
  • Hi,

    Thanks for your reply.

    I deleted one of member of collection, and it seems that it shows the message just about modifying the collection as mentioned above.

    And we tried to find more details by SmsProv.log, it still doesn't show which member was deleted, here is the screenshot we could refer to:



    Thanks for your time.

    Best regards,
    Amanda You


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2020年7月9日 9:35
  • Hi Amanda,

    Thank You for getting back.

    Yes there is no information to indicate what had caused the deletion since the above auditing queries only show..

    Who did what? 
    When they did it?

    But the information relating the WHAT they did.. i.e. actual operation and relating it to the Collection is not available. Trying to check if there are any other means to fetch this information apart from using the above discussed options. We have already checked with each user ID which was displayed in the auditing query result set and they have confirmed that they hadn't deleted any records (instead they added). But there was a substantial drop in Collection member count and we're still trying to analyse the cause.


    SamSV


    • 已编辑 SamSV 2020年7月10日 15:27 Edit
    2020年7月10日 15:25
  • Hi,

    Thanks for your reply.

    We could check member rules of the collection is dirct or query or others. Kindly navigate to specific collection -> properties ->member rules. Here is the screenshot we could refer to:


    If the rule is not direct,  for example, is query, is it possible that collection members are reduced that some clients do not meet the search criteria? 

    I try my best to search it for several days, there may not be a proper way to indicate what had caused the deletion. We could check the type of collection first.

    Hope my answer could help you. It's appreciated if you could mark all helpful replies as answers, that will help other users to search for useful information more quickly. Thanks again for your time. 

    Best regards,
    Amanda You


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2020年7月15日 9:45
  • Hi Amanda,

    All the members to the Collection were direct. So there is no applicability of a condition as in query based.

    Thank You.


    SamSV

    2020年7月15日 15:17
  • Hi,

    Thanks for your reply.

    There might be no proper way to indicate it. I try my best to search it. It is recommended to open the ticket to solve the better, and i will still follow the case well.

    Thanks for your time.

    Best regards,
    Amanda You

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2020年7月16日 9:43