tontontools.

Products

Get Primary Device And Email From User

For one or many user accounts, find the primary devices recorded in SCCM and the user's email address from Active Directory. Three input methods (file, paste, SCCM user collection), bulk email copy in one click, CSV export, and live activity log.

Overview

When an SCCM administrator needs to reach the users behind a list of accounts — for a maintenance notification, a security incident, a hardware refresh wave — the workflow is usually painful: one query for the primary device, another for the email address, copy-paste across PowerShell and the SCCM console, repeat for every user. GPDEU collapses this into a single tool.

Give it a list of usernames in any of three forms (file, paste, or SCCM user collection). For each user, it resolves the primary devices via SMS_UserMachineRelationship and the email address via Active Directory. Results land in a sortable grid with a one-click "Copy Emails" button that produces a clipboard-ready list with the separator of your choice — paste straight into Outlook and send.

Three input methods

Import a CSV/TXT file (one username per line), paste a list copied from Excel or an email, or pick an SCCM user collection and process every member. Each method has its own tab and result grid.

SCCM + Active Directory, no cloud Graph

Queries SMS_UserMachineRelationship via WMI for primary device affinity, and Get-ADUser for mail and displayName. No Microsoft Graph API call, no App Registration required for this tool.

One-click bulk email copy

After the lookup, click Copy Emails and the entire list is in your clipboard, joined with the separator of your choice (semicolon, comma, newline). Paste into Outlook To/Cc/Bcc — done.

CSV export and CMTrace log

Export the full grid to CSV with configurable separator. Every WMI query and AD lookup is logged to a CMTrace-compatible file for audit and troubleshooting.

Sister tool — bidirectional lookup

GPDEU has a mirror tool that walks the same SCCM affinity table in the opposite direction. The two are sold separately and licensed independently, but they share the same architecture and credentials.

ToolInputOutput
Get Primary Device And Email From User (this page)A usernameTheir primary device(s) + email
Get Primary User And Email From Device (sister page)A device nameIts primary user(s) + email

See the Get Primary User And Email From Device documentation for the reverse direction. Mature SCCM teams license both for full coverage.

Prerequisites

RequirementMinimum
Operating systemWindows 10 22H2 or Windows 11 (administrator workstation only)
.NET Framework4.7.2 or later
RSAT — Active Directory PowerShell moduleRequired. The tool calls Get-ADUser to resolve email and displayName. Install via Windows Settings → Apps → Optional Features → RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
SCCM connectivityRPC access (TCP 135 + dynamic high ports) to the SCCM site server. No SCCM console required on the workstation.
AuthenticationCurrent Windows session, via Kerberos. No App Registration, no client secret, no certificate. The signed-in Windows user must have read rights on SCCM and AD.
License tierPro or Enterprise subscription, or active 14-day trial

Required SCCM and AD permissions

GPDEU queries three SCCM WMI classes (read-only) and one Active Directory cmdlet. The signed-in Windows user must hold the following effective rights:

  • SCCM — SMS_UserMachineRelationship Read. Typically granted via the built-in "Read-only Analyst" role in the SCCM administrative console, or by adding the user to the local "SMS Admins" group on the site server with a custom role that includes SMS_UserMachineRelationship read.
  • SCCM — SMS_Collection (CollectionType = 1) Read. Same role covers it. Needed only for the "From SCCM User Collection" tab.
  • SCCM — SMS_FullCollectionMembership Read. Same role. Needed only for the "From SCCM User Collection" tab to enumerate the members of the chosen collection.
  • Active Directory — Get-ADUser Standard read on user objects. Any authenticated AD account has this by default; explicit grants are only needed if your environment denies it for non-admin users.

Initial configuration

On first launch, GPDEU verifies the license, then asks for the SCCM and AD credentials via the standard TontonTools credentials dialog. Credentials are shared across the suite — if you already configured them for another tool on the same workstation and user profile, GPDEU picks them up automatically.

The credentials dialog asks for three things specific to GPDEU:

FieldExampleNotes
SCCM Site Server (FQDN)cm01.corp.contoso.comPrimary site server hosting the SMS Provider.
Site CodePR13-character site code, visible in the SCCM console.
LDAP path(empty or LDAP://corp.contoso.com)Defaults to the current domain. Override only if you need to query a different AD partition.

The SCCM Auto-detect button in the credentials dialog scans the local registry and WMI for a previously-configured SCCM console; if found, it pre-fills both fields automatically. See the Delete Device Everywhere documentation for the full SCCM auto-detect cascade.

Main features

Tab 1 — Import from File

Browse to a CSV or TXT file with one username per line. Accepted formats per line: plain SAM ("dnguyen"), DOMAIN\SAM ("CORP\dnguyen"), or UPN ("dnguyen@corp.contoso.com"). Whitespace and blank lines are tolerated. The tool normalises every entry to "DOMAIN\SAM" uppercase before querying SCCM.

Click Get and the tool processes the list sequentially. The result grid populates row by row — Username, Primary Device, Email Address, Display Name, Source (SCCM/AD), Status. A status bar at the bottom shows the running count.

Tab 2 — Paste User List

For ad-hoc lookups: paste a list copied from an Excel column, an email body, or a ticket comment. The text box accepts any of the same three username formats as the File tab. Click Get to process. Results land in a separate grid from Tab 1 — both tabs keep their own results independently, so you can compare or work in parallel.

Tab 3 — From SCCM User Collection

Click "Pick collection..." to open the User Collection picker. It queries SMS_Collection via WMI for collections with CollectionType = 1 (user collections), shows them in a searchable list, and returns the chosen collection. The tool then resolves the CollectionID and enumerates members via SMS_FullCollectionMembership.

Tab 4 — Activity Log

A live coloured log of every operation: SteelBlue for informational steps, DarkOrange for warnings (e.g. "no affinity in SCCM"), Red for errors, DarkGreen for success summaries. The on-screen log mirrors the CMTrace file log; the on-screen version is shorter (last few hundred lines) for responsiveness.

The Copy Emails button — the killer feature

Below each result grid, a "📧 Copy Emails" button extracts every successfully resolved email address from the rows, joins them with the separator picked in the adjacent drop-down (semicolon by default, also comma or newline), and copies the result to the clipboard. Paste it directly into Outlook (To, Cc, Bcc) and you have a bulk announcement to every user whose devices match your criteria.

Common use case: "we are decommissioning the West Wing on Friday — pick the SCCM collection 'WestWing-Workstations', Get, Copy Emails, paste in Outlook with the warning message, send." Two minutes instead of two hours.

Rows where the email could not be resolved ("(not found)", "(empty)", or any string starting with parentheses) are automatically excluded from the copy.

CSV export

The Export CSV button writes the current tab's grid to a CSV file with configurable separator (semicolon, comma, or pipe), UTF-8 encoding with BOM for Excel compatibility, and a default file name reflecting the tab source. Export is per-tab — File, Paste, and Collection each have their own button.

Quick-Info strip and row selection

Below each result grid, a quick-info strip displays the currently selected row in large, copy-friendly text: User, Primary Device, Email, Display Name. Useful when you need to copy a single value (the email of one specific user) without scrolling through the whole grid.

CMTrace logging

GPDEU writes a CMTrace-compatible log to C:\TEMP\PrimaryDeviceEmailLookup.log. Every WMI query, AD lookup, and error is recorded with timestamp, executing Windows user, and severity. Open with CMTrace.exe (shipped with SCCM) for coloured real-time viewing. The log is cumulative across sessions — useful for an audit trail spanning multiple campaigns.

License & read-only mode

GPDEU follows the TontonTools licensing model: 7-day cache + 7-day offline grace, then read-only mode. In read-only mode, the Get buttons (File, Paste, Collection) are disabled — no SCCM or AD query can be launched. Export CSV and Copy Emails remain active for any results already in the grid from a previous session.

For the full licensing model — Trial mechanics, machine and tenant binding, moving a license between workstations, subscription cancellation behavior — see the Licensing reference.

Typical workflow — a maintenance notification campaign

  1. 1

    Configure credentials once

    Click ⚙ Credentials, fill in the SCCM Site Server FQDN and the Site Code. Use Auto-detect if you have the SCCM console installed locally. LDAP path can stay empty for current-domain queries.

  2. 2

    Pick the right input tab

    For a one-off lookup (one or two users mentioned in a ticket): Paste. For a recurring batch (weekly stale-user audit): Import from File. For a targeted campaign (notify everyone in a specific business unit): From SCCM User Collection.

  3. 3

    Click Get

    The tool processes the list sequentially, populating the grid row by row. Watch the Activity Log for any "no affinity" or "AD lookup failed" warnings — these surface users who need manual investigation.

  4. 4

    Review the grid

    Sort by any column. Click any row to see its full details in the Quick-Info strip below the grid. Rows with "(no affinity in SCCM)" indicate the user has no primary device assigned in SCCM (typical for service accounts, recently provisioned users, or shared-workstation users).

  5. 5

    Export CSV for the audit trail

    Click Export CSV and save the file. This is your record of who was contacted and which device they were associated with at the time of the campaign.

  6. 6

    Click Copy Emails

    Pick the separator your mail client expects (semicolon for Outlook, comma for Gmail), click Copy Emails, and paste into the To/Cc/Bcc field of your draft. Compose your message and send.

  7. 7

    Keep the CMTrace log

    The cumulative log at C:\TEMP\PrimaryDeviceEmailLookup.log captures every WMI and AD call. Attach it to your audit record if your governance process requires it.

Limitations and design choices

  • Primary device data comes from SCCM only GPDEU queries SMS_UserMachineRelationship — the SCCM user-device affinity table. Intune primary user data and Entra ID device ownership are not consulted. For a tenant that operates Intune without SCCM, GPDEU is not the right tool.
  • Email comes from on-premises Active Directory GPDEU calls Get-ADUser, which reads the mail attribute on the user object in AD. If your authoritative email is in Entra ID without on-prem sync of the mail attribute, the lookup may return empty values. A future enhancement may add a Graph fallback for email resolution.
  • Active affinities only The WMI query filters on IsActive = 1, so historical or stale affinities are excluded by design. A user whose primary device was reassigned six months ago will return only the current device, not the historical one.
  • Sequential processing GPDEU processes one user at a time. For a list of 500 users, expect a few minutes of run-time depending on AD responsiveness. The sequential approach keeps the log readable and avoids overwhelming the AD controller with parallel queries.
  • No deletion or mutation GPDEU is strictly read-only on SCCM and AD. It does not delete, modify, reassign, or otherwise change any directory record. For cleanup operations, use the dedicated hygiene tools (DDM, ODC, ODM).

Technical notes

  • SCCM query mechanism GPDEU uses Get-WmiObject (PowerShell) rather than direct .NET ManagementObjectSearcher for the SMS_UserMachineRelationship query. Get-WmiObject handles Kerberos cross-domain authentication slightly more robustly in mixed-forest environments.
  • AD query mechanism Get-ADUser is invoked via PowerShell. The tool first imports the ActiveDirectory module silently; if the RSAT module is missing, AD lookups fail gracefully and the rows show "(AD lookup failed)" in the Email column. SCCM resolution still completes.
  • WQL backslash escaping A subtle but critical detail: in WQL WHERE clauses, backslashes inside string literals must be doubled. GPDEU normalises "DOMAIN\SAM" to the WQL-safe form "DOMAIN\\SAM" before injecting into the query. Forgetting this escape returns silent zero-result queries — a common pitfall when writing SCCM scripts by hand.
  • Username normalisation Three input forms are accepted (plain SAM, DOMAIN\SAM, UPN). The tool normalises all to "DOMAIN\SAM" uppercase before the query. The domain part is derived from the SCCM FQDN if the user typed plain SAM.
  • Credential storage DPAPI-encrypted under the current Windows user profile at %AppData%\TontonTools\credentials.dat — shared across all TontonTools products on the same user account on the same workstation.
  • No telemetry, no agent GPDEU runs entirely from the administrator workstation. The only outbound connections are RPC to the SCCM site server, LDAP to the AD domain controllers, and api.lemonsqueezy.com for license validation (at most weekly).

Related documentation