Hi all, I want to be able to audit changes to collections in SCCM (such as when a helpdesk person adds a PC to a colelction for software deployment), I have looked in the Colleval.log file, and used the Status Message Queries, but these only seem to say who made a change and when. I also want to be able to see what the change was, but how do I get that info out of SCCM? Without knowing what the change was, the audit seems pointless. Any help greatly appreciatedJames

Hi,Navigate to Status Messages, Status Messages Queries. here you will find two Audit status message queries. One for the site and for for a specific user. Those will tell you who did what and when.Kent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products

I don't think that's possible. Because if a collection was changed, the collection query could be a small change, like from "all os type 5.0 to 5.2". That's 1 small character, 0 vs. 2, but the collection query results are drastic.You'd almost have to take snapshots in time of the results of every possible combination of v_fullcollectionmembership, and keep those around for days/weeks, just so you could compare from 10 am to 10:05am.Standardize. Simplify. Automate.

Matthew is right - I have seen the output of what Kent mentioned, but it is simply not enough - with the current output of status message queries I could make a change, and all anyone would know is that a change was made to "Collection A" by "James" - If I want to use auditing to catch who added a specific computer/query rule to a collection, how can I do that? How does the change get flagged/amended in the database? Is is possible to pull this level of detail from the logs, or somewhere in the inboxes folder - SCCM must record what the change is in order to make the update, since the Colleval.log seems to tell us how many changes have occured to a collection? James

This kind of detail is not recorded anywhere that i can think of. The server knows and makes the change it doesn't keep track of what that change was. You would need a snap shot before and after to know what computer was added or what query was modified.http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com