Ok, depois de ler mais o MSDN do que eu gostaria de fazer novamente, aqui está um VBScript (confuso) que consegui reunir para tirar o relevante do SCCM:
option explicit
DIM strSCCMServer, objSCCM
DIM strUserName, strDomain
DIM strSMSUserID
'Central Site Server
strSCCMServer = "SCCMSERVER01"
'Active Directory domain name
strDomain = "DOMAIN_NAME"
strUserName = InputBox ("Enter User Name")
'Find Site Code
DIM objLoc, Results, Loc
Set objLoc = CreateObject("WbemScripting.SWbemLocator")
Set objSCCM = objLoc.ConnectServer(strSCCMServer, "root\sms")
Set Results = objSCCM.ExecQuery ("SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true")
For each Loc in Results
If Loc.ProviderForLocalSite = True Then
Set objSCCM = objLoc.ConnectServer(Loc.Machine, "root\sms\site_" & Loc.SiteCode)
End If
Next
'Find domain user accounts for strUserName
strSMSUserID = GetUserResourceID(strUserName, strDomain)
If (strSMSUserID = "") Then
wscript.echo "Error: no account found in " & strDomain & " for userID " & strUserName
wscript.quit
Else
wscript.echo strDomain & "\" & strUserName & " = " & strSMSUserID
End If
'Find all direct collection memberships of this account
DIM colCollIDs, objCollResID
Set colCollIDs = objSCCM.ExecQuery ("select * from SMS_CollectionMember_a where ResourceID='" & strSMSUserID & "'")
for each objCollResID in colCollIDs
DIM instColl
Set instColl = objSCCM.Get ("SMS_Collection.CollectionID=""" & objCollResID.CollectionID &"""")
wscript.echo objCollResID.CollectionID & " = " & instColl.Name
next
'Obtain the SMS resource ID for a user account in a domain
Function GetUserResourceID(strUser, strDomain)
DIM objResID, colResourceIDs
Set colResourceIDs = objSCCM.ExecQuery ("select ResourceID from SMS_R_User where UserName = '" & strUser &"' AND WindowsNTDomain = '"& strDomain &"'")
for each objResID in colResourceIDs
GetUserResourceID = objResID.ResourceID
next
End Function