Compare AD Computers to CM Computers

Profile picture for user PaulW

It comes up all the time when I want to know if anything in AD is not listed in CM and has a client, etc.  If you work for an organization that is blessed with having excellent asset management, you could compare CM directly against your CMDB.  But, everyone is not this blessed as it turns out.  And reality being, you really should compare everything in AD to everything in CM.  If its a domain joined computer, you'll probably want to know if it is or is not being managed by CM.

I wrote this script that collects the following data from AD and CM:

Active Directory

  • Computer Name
  • Operating System (OperatingSystem)
  • Last Logon (LastLogon)
  • Password Last Set (PasswordLastSet)
  • Canonical Name (CanonicalName)
  • Organizational Unit (OrgUnit)

Configuration Manager

  • InConfigMgr (Is the computer in ConfigMgr by name?)
  • CMClient (Does the computer have a CM Client installed?)
  • LastPolicyRequest (the last time the computer has requested policy from CM)


Executing the Script

So, let's collect our system data.

  1. Download and extract the script file Get-ADCMComparison.ps1.
    • Download from below, or get the ps1 directly from GitHub
  2. Load the functions:
    . Get-ADCMComparison.ps1
  3. Execute the script with the following:
    Export-ADCMComparison -SiteServer -CMSite SS1 -CSVPath C:\Shared\Computers.csv
  4. Or add a date to the csv file name:
    Export-ADCMComparison -SiteServer -CMSite SS1 -CSVPath C:\Shared\Computers_$(get-date -Format yyyyMMdd).csv

Let that cook for a while.  Depending on the size of your environment, this could take a while to complete.  But, once it is done, open your CSV in Excel and enjoy your discoveries!   Be wary, such a report may generate work for you, or someone else.  :-)

File Attachments


This didn't work right for me. It pulled about 11k machines from AD but the report said 5k of those were FALSE for "InConfigMgr". I spot-checked a few of them and found they did have clients and were active.

Interesting.. I'll have to look into this further.  The largest environment I have run this against has about 5K machines.

In the meantime, try this on your primary site server and see how many clients you get.

Get-WmiObject -Namespace "ROOT\SMS\site_AAA" -Query "select distinct SMS_R_System.Name, SMS_R_System.Client, SMS_G_System_CH_ClientSummary.LastPolicyRequest from  SMS_R_System left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId" | select -Property @{Name='Name'; Expression={$_.SMS_R_System.Name}},@{Name='Client'; Expression={$_.SMS_R_System.Client}},@{Name='LastPolicyRequest'; Expression={[Management.ManagementDateTimeConverter]::ToDateTime($_.SMS_G_System_CH_ClientSummary.LastPolicyRequest)}}|measure

Replace AAA with your site code.  See what it returns for a count.


This script would be invaluable to us but unfortunately when I run it it eventually results in a Get-WmiObject : Quota violation error.  The CSV is exported but quite a few of the entries in the CSV are incorrect (e..g in correctly stating that the CM Agent is FALSE when in fact it is TRUE).

I did try to increase the quota using wbemtest (I doubled the HandlesPerHost and MemoryPerHost) in the __ProviderHostQuotaConfiguration=@ under Enum Instances.

Get-WmiObject : Quota violation error

Our AD environment is approximately 6500 computer objects and our CM environment is approximately 5500 computers.

I tried running this script on the Primary Site Server (running Windows Server 2012 R2 with 96GB of RAM) and on a Windows 10 Build 1909 Enterprise computer with 16GB.   

Both attempts result in the same Get-WmiObject : Quota violation error.

Any ideas on how to ensure the script runs without error?


I also tried the other script you provided in the comments and I also get the same Quota Violation error.  It does says Count 5302.



Add new comment

The content of this field is kept private and will not be shown publicly.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.