get admins

Overview

Enumerate SCCM administrators and their security role assignments. This provides insight into the administrative structure and potential privilege escalation paths within the SCCM environment.

Syntax

SharpSCCM get admins [options]

Parameters

sms-provider

string

The IP address, FQDN, or NetBIOS name of the SMS Provider to connect to

site-code

string

The three-character site code (e.g., “PS1”)

name

string

Filter administrators by name pattern (supports partial matching)

properties

string

Specify properties to retrieve (can be used multiple times)

where-condition

string

Custom WQL WHERE clause for advanced filtering

count

boolean

Return count of results only

verbose

boolean

Display all administrator properties

Examples

# List all SCCM administrators
SharpSCCM get admins -sms SCCM01.corp.local -sc PS1

# Count total administrators
SharpSCCM get admins -c -sms SCCM01.corp.local -sc PS1

Key Properties

Property	Description	Example
`LogonName`	Domain account name	CORP\sccmadmin
`RoleNames`	Assigned SCCM security roles	Full Administrator, Application Administrator
`DisplayName`	Friendly display name	SCCM Administrator
`AdminSid`	Security identifier	S-1-5-21-…
`SourceSite`	Site where admin is defined	PS1
`AccountType`	Account type	0 (User), 1 (Group)
`CreatedDate`	Account creation date	2023-01-15
`LastModifiedDate`	Last modification date	2023-06-20

Required Permissions

SMS Admins local group membership on the SMS Provider server

Security Role Analysis

High-Privilege Roles

Full Administrator:

Complete SCCM control and access
All permissions across all objects
Highest privilege level

Infrastructure Administrator:

Site and system management
Site server configuration
Distribution point management
SQL Server access often required

Application Administrator:

Application deployment control
Package and program management
Software library access

Specialized Roles

Operating System Deployment Manager:

OS deployment and imaging
Boot image management
Task sequence creation
Often requires domain admin rights

Software Update Manager:

Software update deployment
Update group management
WSUS integration

Security Administrator:

Security role management
Administrative user creation
Permission boundary control

Attack Vector Analysis

Privilege Escalation Paths

Target High-Privilege Administrators:

Full Administrators for complete SCCM control
Infrastructure Administrators for site access
Application Administrators for deployment abuse

Role-Based Attacks:

Compromise admin accounts for role inheritance
Exploit role permissions for lateral movement
Abuse deployment capabilities for code execution

Administrative Scope

Account Types:

User accounts (AccountType = 0): Individual administrator access
Group accounts (AccountType = 1): Inherited group permissions

Targeting Strategies:

Individual accounts for direct compromise
Group accounts for broader access
Service accounts for persistent access

Intelligence Gathering

Administrative Structure

Administrator enumeration reveals:

Organizational hierarchy and responsibilities
Administrative boundaries and delegation
Service account usage patterns
Group-based administration models

Account Analysis

Naming Patterns:

Service accounts: svc_sccm, sccmservice
Administrative accounts: sccmadmin, admin_sccm
Personal accounts: firstname.lastname
Shared accounts: shared_admin, team_admin

Creation Dates:

Recent accounts may indicate changes
Old accounts may have accumulated privileges
Bulk creation may indicate automation

Common Queries

RoleNames LIKE '%Full Administrator%'

Operational Use Cases

Target Identification

High-Value Targets:

Full Administrators for complete access
Infrastructure Administrators for site control
Recently created accounts for weak passwords
Service accounts for persistence

Privilege Mapping

Administrative Relationships:

Map role assignments to understand privileges
Identify overlapping administrative access
Find potential privilege escalation paths
Understand administrative boundaries

Attack Planning

Credential Targeting:

Focus on high-privilege accounts
Target accounts with broad role assignments
Identify shared or service accounts
Find accounts with infrastructure access

Output Analysis

Role Distribution

Common role assignments:

Multiple roles: Users with several role assignments
Broad permissions: Full Administrator assignments
Specialized access: Single-purpose role assignments
Group inheritance: Permissions via group membership

Account Patterns

Administrative patterns indicate:

Centralized administration: Few high-privilege accounts
Distributed administration: Many specialized accounts
Service automation: Dedicated service accounts
Group-based access: Role assignment via groups

get devices - Find devices used by administrators
get collections - Analyze administrative collections
get site-push-settings - Identify client push accounts
local user-sid - Get current user’s administrative context

Getting Started

Information Gathering

Credential Extraction

Lateral Movement

Local Operations

Infrastructure Management

Advanced Operations

Overview

Syntax

Parameters

Examples

Key Properties

Required Permissions

Security Role Analysis

Attack Vector Analysis

Intelligence Gathering

Common Queries

Operational Use Cases

Output Analysis

Getting Started

Information Gathering

Credential Extraction

Lateral Movement

Local Operations

Infrastructure Management

Advanced Operations

​Overview

​Syntax

​Parameters

​Examples

​Key Properties

​Required Permissions

​Security Role Analysis

​Attack Vector Analysis

​Intelligence Gathering

​Common Queries

​Operational Use Cases

​Output Analysis

​Related Commands

Overview

Syntax

Parameters

Examples

Key Properties

Required Permissions

Security Role Analysis

Attack Vector Analysis

Intelligence Gathering

Common Queries

Operational Use Cases

Output Analysis

Related Commands