Converting SCCM 2012 custom reports to use RBAC. 

In SCCM 2007 we had many custom reports that were needed by different people. Often it was the same report, with just one parameter differing, so it was displaying information user needed, but nothing more. For example administrators in different countries were only able to see reports about computers in countries they were responsible for, but not others.

Now in our company this quickly meant over 200 reports. in fact it was just 8 or 10 reports, differing in names, one filter value and permissions on them.

With upgrade to SCCM 2012 i thought it would be a good time to update our reports as well. And since SCCM 2012 enables us to use RBAC, I gave it a go. Firstly you have to set permissions for users. I will explain how to do this in another post. For now let’s just say that users have permissions correctly assigned to them.

If you are creating new report, rather than reusing old ones, you can skip first couple of steps and just open Report Builder. Continue reading


Powershell to sanitize GPO

Quick ways to sanitize GPOs with Powershell.

Did you ever wonder how many GPOs do you have that do not have any links?


Or if there are any users that were assigned Security Filterings on GPO, but have since been deleted?




Here is are two quick “scripts”, that will find you just that, so you can further investigate and “sanitize” your Group Policy Objects.

# Get all GPO that are not linked to anything
Get-GPOReport -all -ReportType xml | %{([xml]$_).gpo | select name,@{n="SOMName";e={$_.LinksTo | % {$_.SOMName}}},@{n="SOMPath";e={$_.LinksTo | %{$_.SOMPath}}} | % {if($_.SOMPath -eq $null){$_}}}

# Get all GPO objects, that have permissions set to deleted users (No DisplayName, just SID)
$gpo = Get-GPO -all; $gpoo =@();$gpo | % {$aa = $_;$_| get-gppermissions -all | %{ if($ -eq $null){if($gp.contains($aa.DisplayName)){} else{$gp += $aa.DisplayName} } }}; $gp