Overview Map device-to-user relationships by analyzing primary user assignments. This command reveals which users are primarily associated with specific devices, providing valuable intelligence for targeting and lateral movement planning.
Syntax SharpSCCM get primary-users [options] Parameters The IP address, FQDN, or NetBIOS name of the SMS Provider to connect to
The three-character site code (e.g., “PS1”)
Filter by specific user (supports partial matching)
Filter by specific device name
Specify properties to retrieve (can be used multiple times)
Custom WQL WHERE clause for advanced filtering
Return count of results only
Display all relationship properties
Examples Basic Usage
User-Specific Analysis
Advanced Filtering
# List all primary user relationships SharpSCCM get primary-users -sms SCCM01.corp.local -sc PS1 # Count total relationships SharpSCCM get primary-users -c -sms SCCM01.corp.local -sc PS1
Key Properties Property Description Use Case UniqueUserNameDomain\username User identification ResourceNameDevice name Device identification ResourceIDDevice resource ID Cross-referencing UserResourceIDUser resource ID User cross-referencing IsActiveRelationship status Active mapping verification CreationDateRelationship creation Timeline analysis SourcesRelationship sources Trust level assessment
Required Permissions SMS Admins local group membership on the SMS Provider server
Relationship Analysis
Automatic Detection:
User Device Affinity (UDA) based on logon frequency
Usage patterns and session duration
Windows logon events and activity
Manual Assignment:
Administrative assignment
Help desk assignments
Self-service assignments
Configuration Manager Sources:
Exchange Server connector
Active Directory integration
Third-party connectors
High Confidence:
Multiple source confirmations
Long-term usage patterns
Administrative verification
Medium Confidence:
Single source detection
Recent relationship establishment
Automated detection only
Low Confidence:
Temporary assignments
Shared device usage
Conflicting sources
Intelligence Gathering
High-Value Relationships: # Admin user devices SharpSCCM get primary-users -u "admin" -sms SCCM01.corp.local -sc PS1 # Service account devices SharpSCCM get primary-users -u "svc" -sms SCCM01.corp.local -sc PS1 # Privileged user workstations SharpSCCM get primary-users -w "UniqueUserName LIKE '%administrator%'" -sms SCCM01.corp.local -sc PS1 Infrastructure Analysis: # Server primary users SharpSCCM get primary-users -d "SRV" -sms SCCM01.corp.local -sc PS1 # Domain controller relationships SharpSCCM get primary-users -d "DC" -sms SCCM01.corp.local -sc PS1
Credential Targeting:
Identify devices used by high-privilege users
Map service account usage patterns
Find administrative workstations
Lateral Movement:
User-device relationship exploitation
Cross-device credential reuse
Privilege escalation paths
Use Cases
High-Privilege Users:
Administrative account workstations
Service account device assignments
Privileged user system access
Device Ownership:
Personal vs shared device identification
Administrative device assignments
Service account system usage
Lateral Movement Planning
User Path Mapping:
Track user access across devices
Identify cross-system relationships
Map administrative boundaries
Credential Harvesting:
Target devices with high-value users
Focus on administrative workstations
Identify credential reuse patterns
Common Queries Administrative Users
Service Accounts
Active Relationships
Recent Assignments
UniqueUserName LIKE '%admin%' OR UniqueUserName LIKE '%administrator%'
Output Analysis
One-to-One:
Personal workstations and laptops
Dedicated administrative systems
Individual user assignments
One-to-Many:
Users with multiple devices
Administrative access across systems
Service account system usage
Many-to-One:
Shared workstations
Terminal servers
Kiosk systems
High-Value Targets:
Administrative user workstations
Service account assigned systems
Multi-device administrative access
Risk Indicators:
Privileged users on multiple devices
Service accounts with device assignments
Administrative access patterns
