tontontools.

Products

Get Primary User And Email From Device

For one or many device names, find the primary users recorded in SCCM and their email addresses from Active Directory. Three input methods (file, paste, SCCM device collection), bulk email copy in one click, CSV export, and live activity log.

Overview

When something needs to happen at the device level — a reboot wave, a forced re-imaging, a security patch with a hard deadline — the question is always the same: who actually uses these machines, and how do we reach them? GPUED answers that question for a list of devices.

Give it a list of device names in any of three forms (file, paste, or SCCM device collection). For each device, it resolves the primary users via SMS_UserMachineRelationship and the email address via Active Directory. Results land in a sortable grid with a one-click "Copy Emails" button that produces a clipboard-ready list — paste straight into Outlook and send.

Three input methods

Import a CSV/TXT file (one device name per line), paste a list copied from Excel or an email, or pick an SCCM device collection and process every member. Each method has its own tab and result grid.

SCCM + Active Directory, no cloud Graph

Queries SMS_UserMachineRelationship via WMI for primary user affinity, and Get-ADUser for mail and displayName. No Microsoft Graph API call, no App Registration required for this tool.

One-click bulk email copy

After the lookup, click Copy Emails and the entire list is in your clipboard, joined with the separator of your choice. Paste into Outlook To/Cc/Bcc — done.

CSV export and CMTrace log

Export the full grid to CSV with configurable separator. Every WMI query and AD lookup is logged to a CMTrace-compatible file for audit and troubleshooting.

Sister tool — bidirectional lookup

GPUED has a mirror tool that walks the same SCCM affinity table in the opposite direction. The two are sold separately and licensed independently, but they share the same architecture and credentials.

ToolInputOutput
Get Primary User And Email From Device (this page)A device nameIts primary user(s) + email
Get Primary Device And Email From User (sister page)A usernameTheir primary device(s) + email

See the Get Primary Device And Email From User documentation for the reverse direction. Mature SCCM teams license both for full coverage.

Prerequisites

RequirementMinimum
Operating systemWindows 10 22H2 or Windows 11 (administrator workstation only)
.NET Framework4.7.2 or later
RSAT — Active Directory PowerShell moduleRequired. The tool calls Get-ADUser to resolve email and displayName. Install via Windows Settings → Apps → Optional Features → RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
SCCM connectivityRPC access (TCP 135 + dynamic high ports) to the SCCM site server. No SCCM console required on the workstation.
AuthenticationCurrent Windows session, via Kerberos. No App Registration, no client secret, no certificate. The signed-in Windows user must have read rights on SCCM and AD.
License tierPro or Enterprise subscription, or active 14-day trial

Required SCCM and AD permissions

GPUED queries three SCCM WMI classes (read-only) and one Active Directory cmdlet. The signed-in Windows user must hold the following effective rights:

  • SCCM — SMS_UserMachineRelationship Read. Typically granted via the built-in "Read-only Analyst" role in the SCCM administrative console, or by adding the user to the local "SMS Admins" group on the site server with a custom role that includes SMS_UserMachineRelationship read.
  • SCCM — SMS_Collection (CollectionType = 2) Read. Same role covers it. Needed only for the "From SCCM Collection" tab.
  • SCCM — SMS_FullCollectionMembership Read. Same role. Needed only for the "From SCCM Collection" tab to enumerate the devices in the chosen collection.
  • Active Directory — Get-ADUser Standard read on user objects. Any authenticated AD account has this by default; explicit grants are only needed if your environment denies it for non-admin users.

Initial configuration

On first launch, GPUED verifies the license, then asks for the SCCM and AD credentials via the standard TontonTools credentials dialog. Credentials are shared across the suite — if you already configured them for another tool on the same workstation and user profile, GPUED picks them up automatically.

The credentials dialog asks for three things specific to GPUED:

FieldExampleNotes
SCCM Site Server (FQDN)cm01.corp.contoso.comPrimary site server hosting the SMS Provider.
Site CodePR13-character site code, visible in the SCCM console.
LDAP path(empty or LDAP://corp.contoso.com)Defaults to the current domain. Override only if you need to query a different AD partition.

The SCCM Auto-detect button in the credentials dialog scans the local registry and WMI for a previously-configured SCCM console; if found, it pre-fills both fields automatically. See the Delete Device Everywhere documentation for the full SCCM auto-detect cascade.

Main features

Tab 1 — Import from File

Browse to a CSV or TXT file with one device name per line. Plain hostnames are expected ("WS-MIL36-042"); FQDN suffixes are tolerated and stripped. Whitespace and blank lines are tolerated. Click Get and the tool processes the list sequentially. The result grid populates row by row — Device Name, Primary User, Email Address, Display Name, Source (SCCM/AD), Status.

Tab 2 — Paste Device List

For ad-hoc lookups: paste a list copied from an Excel column, a ticket comment, or the output of a previous PowerShell query. The text box accepts plain hostnames, one per line. Click Get to process. Results land in a separate grid from Tab 1 — both tabs keep their own results independently.

Tab 3 — From SCCM Device Collection

Click "Pick collection..." to open the Device Collection picker. It queries SMS_Collection via WMI for collections with CollectionType = 2 (device collections), shows them in a searchable list, and returns the chosen collection. The tool then resolves the CollectionID and enumerates members via SMS_FullCollectionMembership — the Name column on this class returns the device hostname directly, which simplifies the workflow compared to user collections.

Tab 4 — Activity Log

A live coloured log of every operation: SteelBlue for informational steps, DarkOrange for warnings (e.g. "no affinity in SCCM"), Red for errors, DarkGreen for success summaries. The on-screen log mirrors the CMTrace file log; the on-screen version is shorter (last few hundred lines) for responsiveness.

The Copy Emails button — the killer feature

Below each result grid, a "📧 Copy Emails" button extracts every successfully resolved email address from the rows, joins them with the separator picked in the adjacent drop-down (semicolon by default, also comma or newline), and copies the result to the clipboard. Paste it directly into Outlook (To, Cc, Bcc) and you have a bulk announcement to every user whose devices match your criteria.

Common use case: "we need to reboot every workstation in the QA lab tonight at 22:00 — pick the SCCM collection 'QA-Workstations', Get, Copy Emails, paste in Outlook with the maintenance notice, send." Two minutes instead of two hours.

Rows where the email could not be resolved ("(not found)", "(empty)", or any string starting with parentheses) are automatically excluded from the copy.

CSV export

The Export CSV button writes the current tab's grid to a CSV file with configurable separator (semicolon, comma, or pipe), UTF-8 encoding with BOM for Excel compatibility, and a default file name reflecting the tab source. Export is per-tab — File, Paste, and Collection each have their own button.

Quick-Info strip and row selection

Below each result grid, a quick-info strip displays the currently selected row in large, copy-friendly text: Device, Primary User, Email, Display Name. Useful when you need to copy a single value (the email of one specific user) without scrolling through the whole grid.

Multi-user devices

A single device can have multiple primary users in SCCM (a workstation shared by morning and evening shifts, a manager's laptop also used by their assistant, etc.). GPUED emits one row per primary user — so a single device name in your input may produce two or three rows in the result grid. The Source column ("SCCM") and the row order make this explicit.

CMTrace logging

GPUED writes a CMTrace-compatible log to C:\TEMP\PrimaryUserEmailLookup.log. Every WMI query, AD lookup, and error is recorded with timestamp, executing Windows user, and severity. Open with CMTrace.exe (shipped with SCCM) for coloured real-time viewing. The log is cumulative across sessions — useful for an audit trail spanning multiple campaigns.

License & read-only mode

GPUED follows the TontonTools licensing model: 7-day cache + 7-day offline grace, then read-only mode. In read-only mode, the Get buttons (File, Paste, Collection) are disabled — no SCCM or AD query can be launched. Export CSV and Copy Emails remain active for any results already in the grid from a previous session.

For the full licensing model — Trial mechanics, machine and tenant binding, moving a license between workstations, subscription cancellation behavior — see the Licensing reference.

Typical workflow — a maintenance notification campaign

  1. 1

    Configure credentials once

    Click ⚙ Credentials, fill in the SCCM Site Server FQDN and the Site Code. Use Auto-detect if you have the SCCM console installed locally. LDAP path can stay empty for current-domain queries.

  2. 2

    Pick the right input tab

    For a one-off lookup (one or two devices mentioned in a ticket): Paste. For a recurring batch (devices flagged by a monitoring tool): Import from File. For a targeted campaign (notify everyone whose machine is in a specific business unit collection): From SCCM Device Collection.

  3. 3

    Click Get

    The tool processes the list sequentially, populating the grid row by row. Watch the Activity Log for any "no affinity" or "AD lookup failed" warnings — these surface devices that have no assigned user (shared/kiosk devices, freshly imaged machines).

  4. 4

    Review the grid

    Sort by any column. Click any row to see its full details in the Quick-Info strip below the grid. A single device may produce multiple rows if it has multiple primary users — review each one to decide who to contact.

  5. 5

    Export CSV for the audit trail

    Click Export CSV and save the file. This is your record of who was contacted and which device they were associated with at the time of the campaign.

  6. 6

    Click Copy Emails

    Pick the separator your mail client expects (semicolon for Outlook, comma for Gmail), click Copy Emails, and paste into the To/Cc/Bcc field of your draft. Compose your message and send.

  7. 7

    Keep the CMTrace log

    The cumulative log at C:\TEMP\PrimaryUserEmailLookup.log captures every WMI and AD call. Attach it to your audit record if your governance process requires it.

Limitations and design choices

  • Primary user data comes from SCCM only GPUED queries SMS_UserMachineRelationship — the SCCM user-device affinity table. Intune primary user data and Entra ID device ownership are not consulted. For a tenant that operates Intune without SCCM, GPUED is not the right tool.
  • Email comes from on-premises Active Directory GPUED calls Get-ADUser, which reads the mail attribute on the user object in AD. If your authoritative email is in Entra ID without on-prem sync of the mail attribute, the lookup may return empty values. A future enhancement may add a Graph fallback for email resolution.
  • Active affinities only The WMI query filters on IsActive = 1, so historical or stale affinities are excluded by design. A device that was reassigned six months ago will return only the current primary user, not the historical one.
  • Sequential processing GPUED processes one device at a time. For a list of 500 devices, expect a few minutes of run-time depending on AD responsiveness. The sequential approach keeps the log readable and avoids overwhelming the AD controller with parallel queries.
  • Devices with no primary user Shared, kiosk, conference-room, or freshly-imaged devices typically have no entry in SMS_UserMachineRelationship. They appear in the result grid with "(no affinity in SCCM)" in the Primary User column. For these, use Orphan Device Cleaner to investigate provenance.
  • No deletion or mutation GPUED is strictly read-only on SCCM and AD. It does not delete, modify, reassign, or otherwise change any directory record. For cleanup operations, use the dedicated hygiene tools (DDM, ODC, ODM).

Technical notes

  • SCCM query mechanism GPUED uses Get-WmiObject (PowerShell) rather than direct .NET ManagementObjectSearcher for the SMS_UserMachineRelationship query. Get-WmiObject handles Kerberos cross-domain authentication slightly more robustly in mixed-forest environments.
  • AD query mechanism Get-ADUser is invoked via PowerShell. The tool first imports the ActiveDirectory module silently; if the RSAT module is missing, AD lookups fail gracefully and the rows show "(AD lookup failed)" in the Email column. SCCM resolution still completes.
  • WQL string escaping A subtle but critical detail: in WQL WHERE clauses, special characters inside string literals must be escaped (single quote doubled to two single quotes, etc.). GPUED handles this automatically — collection names containing apostrophes, parentheses, or spaces resolve correctly.
  • Device name normalisation Plain hostnames are expected ("WS-MIL36-042"). If you paste FQDN values ("WS-MIL36-042.corp.contoso.com"), the tool strips the DNS suffix automatically before querying. Case is preserved as-is for the display; WQL comparison is case-insensitive at the SQL Server backend.
  • Credential storage DPAPI-encrypted under the current Windows user profile at %AppData%\TontonTools\credentials.dat — shared across all TontonTools products on the same user account on the same workstation.
  • No telemetry, no agent GPUED runs entirely from the administrator workstation. The only outbound connections are RPC to the SCCM site server, LDAP to the AD domain controllers, and api.lemonsqueezy.com for license validation (at most weekly).

Related documentation