Skip to main content

Overview

Enumerate user accounts in SCCM database. This command provides comprehensive user intelligence including domain accounts, login patterns, and user-device relationships.

Syntax

SharpSCCM get users [options]

Parameters

sms-provider
string
The IP address, FQDN, or NetBIOS name of the SMS Provider to connect to
site-code
string
The three-character site code (e.g., “PS1”)
name
string
Filter users by name pattern (supports partial matching)
properties
string
Specify properties to retrieve (can be used multiple times)
where-condition
string
Custom WQL WHERE clause for advanced filtering
count
boolean
Return count of results only
verbose
boolean
Display all user properties

Examples

# List all users
SharpSCCM get users -sms SCCM01.corp.local -sc PS1

# Count total users
SharpSCCM get users -c -sms SCCM01.corp.local -sc PS1

Key Properties

PropertyDescriptionUse Case
UniqueUserNameDomain\username formatPrimary identifier
NameDisplay nameUser identification
DomainActive Directory domainDomain analysis
IsActiveAccount statusActive user filtering
LastLogonTimestampLast logon timeActivity analysis
ResourceIDUnique SCCM identifierCross-referencing

Required Permissions

SMS Admins local group membership on the SMS Provider server

Intelligence Gathering

High-Value Targets:
UniqueUserName LIKE '%admin%'
UniqueUserName LIKE '%administrator%'
Name LIKE '%admin%'
Service Accounts:
UniqueUserName LIKE '%svc%'
UniqueUserName LIKE '%service%'
Name LIKE '%service%'
Naming Conventions:
  • Administrative accounts: admin, administrator prefixes
  • Service accounts: svc-, service- prefixes
  • Personal accounts: firstname.lastname format
  • Shared accounts: shared-, team- prefixes
Domain Analysis:
  • Multiple domains indicate complex environments
  • Domain trust relationships
  • Cross-domain user access patterns

Common Queries

IsActive = True

Use Cases

High-Privilege Users:
  • Domain administrators and privileged accounts
  • Service accounts with elevated permissions
  • Shared administrative accounts
User Activity Analysis:
  • Login patterns and frequency
  • Account usage patterns
  • Dormant or inactive accounts
Credential Targeting:
  • Focus on administrative and service accounts
  • Identify high-value user targets
  • Map user privilege relationships
Lateral Movement:
  • User-device relationship mapping
  • Cross-domain access patterns
  • Service account abuse opportunities