Compare AD Computers to CM Computers

Profile picture for user PaulW
Posted by PaulW on Sat, 06/29/2019 - 04:00pm

It comes up all the time when I want to know if anything in AD is not listed in CM and has a client, etc.  If you work for an organization that is blessed with having excellent asset management, you could compare CM directly against your CMDB.  But, everyone is not this blessed as it turns out.  And reality being, you really should compare everything in AD to everything in CM.  If its a domain joined computer, you'll probably want to know if it is or is not being managed by CM.

I wrote this script that collects the following data from AD and CM:

Active Directory

  • Computer Name
  • Operating System (OperatingSystem)
  • Last Logon (LastLogon)
  • Password Last Set (PasswordLastSet)
  • Canonical Name (CanonicalName)
  • Organizational Unit (OrgUnit)

Configuration Manager

  • InConfigMgr (Is the computer in ConfigMgr by name?)
  • CMClient (Does the computer have a CM Client installed?)
  • LastPolicyRequest (the last time the computer has requested policy from CM)

 

Executing the Script

So, let's collect our system data.

  1. Download and extract the script file Get-ADCMComparison.ps1.
    • Download from below, or get the ps1 directly from GitHub
  2. Load the functions:
    . Get-ADCMComparison.ps1
  3. Execute the script with the following:
    Export-ADCMComparison -SiteServer CM01.domain.com -CMSite SS1 -CSVPath C:\Shared\Computers.csv
  4. Or add a date to the csv file name:
    Export-ADCMComparison -SiteServer CM01.domain.com -CMSite SS1 -CSVPath C:\Shared\Computers_$(get-date -Format yyyyMMdd).csv

Let that cook for a while.  Depending on the size of your environment, this could take a while to complete.  But, once it is done, open your CSV in Excel and enjoy your discoveries!   Be wary, such a report may generate work for you, or someone else.  :-)

File Attachments

Comments

This didn't work right for me. It pulled about 11k machines from AD but the report said 5k of those were FALSE for "InConfigMgr". I spot-checked a few of them and found they did have clients and were active.

Interesting.. I'll have to look into this further.  The largest environment I have run this against has about 5K machines.

In the meantime, try this on your primary site server and see how many clients you get.

Get-WmiObject -Namespace "ROOT\SMS\site_AAA" -Query "select distinct SMS_R_System.Name, SMS_R_System.Client, SMS_G_System_CH_ClientSummary.LastPolicyRequest from  SMS_R_System left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId" | select -Property @{Name='Name'; Expression={$_.SMS_R_System.Name}},@{Name='Client'; Expression={$_.SMS_R_System.Client}},@{Name='LastPolicyRequest'; Expression={[Management.ManagementDateTimeConverter]::ToDateTime($_.SMS_G_System_CH_ClientSummary.LastPolicyRequest)}}|measure
 

Replace AAA with your site code.  See what it returns for a count.

Add new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
Verify you are a human.