All Members of All Local Groups inventory for ConfigMgr 2012

Report on all users in all local groups using Configuration Manager 2012

This is an update to , which was written with ConfigMgr 2007 in mind.

01/09/2017: Updated the mof for import with an additional ,key field; per a recommendation from Adam MacMurray, thanks Adam!

Basically, take the attached file--> WMI Framework for Local Groups with Logging <--, and in your ConfigMgr 12 console, on Assets and Compliance, Compliance Settings, right-click on "Configuration Baseline" and Import Configuration Data... the .cab file.

Once imported, Deploy the Baseline to an appropriate collection.  I recommend potentially two different deployments:  one to all Workstations, and one to all Member Servers.  I.e., don't even try to target your domain controllers.  The script is meant to skip a DC if it's attempted, but it's probably best not to tempt fate.

If this is the first time you've tried to get localgroupmembers, to get the information back, you'll need a custom hardware inventory import.  If you've already cm_localgroupmembers in your hardware inventory rules, skip this.

Save the below as "localgroupmembers.mof"

#pragma deleteclass ("LocalGroupMembers",NOFAIL)
[ SMS_Report     (TRUE),
  SMS_Group_Name ("LocalGroupMembers"),
  SMS_Class_ID   ("LocalGroupMembers") ]
class cm_LocalGroupMembers : SMS_Class_Template
    [SMS_Report (TRUE), key ] string Account;
    [SMS_Report (TRUE)      ] string Category;
    [SMS_Report (TRUE), key ] string Domain;
    [SMS_Report (TRUE), key ] string Name;
    [SMS_Report (TRUE)      ] string Type;

Then, in your console, Administration, Client Settings, right-click 'Default Client Settings', and go to properties.  Select Hardware Inventory, then on the right "Set Classes...", then "Import..."  and browse to the 'localgroupmembers.mof' file you saved.

A couple of OKs, later... then it's just sit and wait.  Remember, patience is a virtue.  Go get some lunch or a coffee break or something.  <grin>

If you want to confirm that the DCM is actually running, there's two ways.

  1. on a client, in root\cimv2, check if cm_localgroupmembers actually created and populated?
  2. The script inside the .cab file is different slightly from the one on the 2010 blog entry.  It includes a log file which will drop into the SYSTEM's temp folder, which is almost always %windir%\temp.  If it ran (or attempted to run) you should get a log file called "SCCMLocalGroupMembers.log".  If having it drop a log file is bothersome for some reason (it may be--it depends upon you own company's practices) open the ConfigItem, copy out the script, and edit it so that it no longer drops a log file.  test and put it back.  Remember, CI's are versions now; so if you mess up you can always go back to an older version.
  3. "In general" the view will end up being v_gs_localgroupmembers0 ; so a select * from v_gs_localgroupmembers0 against your ConfigMgr Database should let you know if it's being populated.  But there are of course exceptions to every rule.  you may have to browse through your views in your database to find the view if it's not that specific one.

Shameless plugs so that this blog post filters up to the top on web searches:

How to get the users in the local Administrators group
Local Administrators group on workstations getting the accounts inside
How do I get the accounts inside the local Administrators group

There? did I miss some key words? 

Love Client Center for Configuration Manager but don't have internet access to use the Click Once version?  Don't despair, there's a browser version you can host internally on your own web server. Caveats are you won't benefit from immediate updates to the code--you'll have to remember to check and download updates, and update your local web version when updates happen.

Instructions on how I set up the intranet version.  Note these instructions are using IIS hosted on a Server 2008 R2 server.

  1. Go to, and download "Client Center for CM12 (Browser Version)" [note the date will change--the screen shot just happens to be the date of the beta release when I took a screen shot] 
  2. On your designated Server 2008 R2 server, which already has IIS installed (in this example), let's call it "TheServer.MyDomain.Local", extract the contents of to a folder you created called  c:\IIS\ClientCenter.  [Again, ignore the dates in the screen shot] 
  3. In Server Manager, IIS, right-click Default Web Site and Add a Virtual Directory, Alias is "ClientCenter" and Physical Path is (in our example)  c:\iis\ClientCenter, OK 
  4. Double-click Default Document, click Add... and type in SCCMCliCtrWPF.xbap, OK.  It should be a Local Entry Type 

  5. Double-click back to "ClientCenter", and then Double-click "Request Filtering".  
    1. Find the entry for .config ; it is likely listed as False.  Highlight and Delete that.  
    2. On the Right, click "Allow File Name Extension..." and input .config  and click OK.


At this point, the web site is configured.  To use it, go to http://fqdn.of.that.server/ClientCenter  (in our example, it would be http://TheServer.MyDomain.Local/ClientCenter

Other notes; depending upon your Internet Explorer version and settings, you may need to go into IE settings and either trust that server, and/or change "Download unsigned ActiveX Controls" from Disable to either Prompt or Enable.

Also remember that WinRM is required on the clients themselves in order to use Client Center. WinRM can be enabled either interactively on each client, or you can use a GPO.  Details on both methods are in the online documentation: