The local group overview interface is a part of the AD-module in SoftwareCentral and gives an overview over which programs that have been installed and/or uninstalled during the membership of the local group.

The interface will also show some selected event viewer events, which can indicate that the user has made security changes to the computer. Some of these events can be reverted back with this interface.

Information available

This function was release with SoftwareCentral 5.7.0, and therefore will all functionality only work for local group jobs that have started after the installation of 5.7.0. The system will gather the following information.

· Event viewer events

· Installed programs

· Uninstalled programs

For completed or already started but not completed jobs, the following information will be available:

Completed before 5.7.0:

For completed jobs, SoftwareCentral will look in the Event Viewer on the computer if it is online and see if there are any events between the start and end of the local group membership period. These events will be stored, so they can be reverted if possible.

SoftwareCentral will also see which programs have been installed on the computer in the day(s) that the user has been a member of the group. NOTE: Since there is only an installed date and not a specific time, the user might not have installed the program.

Jobs started but not completed:

A job, where the job to add the user, was executed before the installation of 5.7.0, most of the same information is available as jobs completed before 5.7.0, but in this case all information is stored when the users are removed from the group.

Information from these jobs will also be present in the statistical interface, without the need to open the interface containing the information regarding this job.

Main interface

The main interface will show all local group jobs, with a specific time frame. Note that it is the start time that is used for this search. To find a specific job the search bar is used, and here it will search in the computer name, username or the group name.

More information regarding the service job can be found by right clicking the header inside the grid and select additional columns.

Overview window

When a local group job overview interface is opened, the following interface is showed, here general information about the job is found, and list of event viewer events, add remove program changes, and a change log.

If the job is completed the information is collected from the database, but if the job isn’t completed yet, the information is live data from the computer, and here the computer needs to be online.

Turn on computer:

If the computer is offline, a Wake on Lan request can be sent to the machine by clicking the red dot, this will send the request, and after 30 seconds try to ping the computer again.

Overdue jobs and canceled jobs.

If the local group job is overdue, the end time status turns red, and the tooltip will state for how much extra time the user has been a member of the local group.

All jobs that isn’t completed yet can be stopped directly from this interface by clicking the “user isn’t removed yet” link. This will send a request to the server and execute the remove user job.

Event viewer events

SoftwareCentral local group overview tracks the following events, here listed by the sub categories.

· Registry

o 4657 A registry value was modified

o 4660 An object was deleted

· User Account Management

o 4720 A user account was created

o 4722 A user account was enabled

o 4723 An attempt was made to change an account's password

o 4724 An attempt was made to reset an accounts password

o 4725 A user account was disabled

o 4726 A user account was deleted

o 4738 A user account was changed

o 4740 A user account was locked out

o 4767 A user account was unlocked

o 4781 The name of an account was changed

· Computer Account Management

o 4741 A computer account was created

o 4742 A computer account was changed

o 4743 A computer account was deleted

· Security Group Management

o 4727 A security-enabled global group was created

o 4728 A member was added to a security-enabled global group

o 4729 A member was removed from a security-enabled global group

o 4730 A security-enabled global group was deleted

o 4731 A security-enabled local group was created

o 4732 A member was added to a security-enabled local group

o 4733 A member was removed from a security-enabled local group

o 4734 A security-enabled local group was deleted

o 4735 A security-enabled local group was changed

o 4737 A security-enabled global group was changed

o 4754 A security-enabled universal group was created

o 4755 A security-enabled universal group was changed

o 4756 A member was added to a security-enabled universal group

o 4757 A member was removed from a security-enabled universal group

o 4758 A security-enabled universal group was deleted

o 4764 A groups type was changed

· Distribution Group Management

o 4744 A security-disabled local group was created

o 4745 A security-disabled local group was changed

o 4746 A member was added to a security-disabled local group

o 4747 A member was removed from a security-disabled local group

o 4748 A security-disabled local group was deleted

o 4749 A security-disabled global group was created

o 4750 A security-disabled global group was changed

o 4751 A member was added to a security-disabled global group

o 4752 A member was removed from a security-disabled global group

o 4753 A security-disabled global group was deleted

o 4759 A security-disabled universal group was created

o 4760 A security-disabled universal group was changed

o 4761 A member was added to a security-disabled universal group

o 4762 A member was removed from a security-disabled universal group

o 4763 A security-disabled universal group was deleted Event viewer Statistic

Each event will show a short description and the timestamp in the grid, but the full detailed description from the event viewer can be found in the tooltip of the short description.

Revert Event:

SoftwareCentral can revert the following events, 4722, 4725, 4727, 4728, 4729, 4732, 4733, 4746, 4747, 4749, 4751, 4752, 4754, 4756, 4757, 4759, 4761, 4762, 4781 from the event viewer, but only if the computer is online.

This is done by clicking the revert event link, this will open a new window, where the user must confirm that the changes are happening.

A reason to why this event is reverted can be added by the user, this reason will be visible in the change log. In the change log there will always be a message when a user tries to revert any events.

Add/Remove programs

In the add/remove program tab, a list of all changes made to the computes add/remove program list can be found, this information is gathered from computers WMI, and doesn’t handle who that installed and/or uninstalled the programs. So, any programs installed by the SCCM during this period will also be visible in this list.

Statistics

SoftwareCentral keeps statistics over event viewer events and add/remove program changes. Both statistic windows are found in the main interface.

In the add/remove program statistic, all program changes is listed with the action type and the count of how many times the program have been installed or uninstalled.

In the event viewer event, a list of all event can be found and how many times each have occurred during a local group membership period.

From the Statistics window, you can also locate users which has performed a specific action. You can for instance find all users, which have added a new local user.