draker Posted October 20, 2014 Report post Posted October 20, 2014 Hello, I am looking for a bit of help with admin delegation in SCCM 2012 r2. I think I've got a good amount of the delegation done but I'm really looking for a how-to or a reference article that could better explain what components should be delegated. What I am trying to achieve: We are offering SCCM as a service to other administrators in our forest. Administrators will be granted full access to administrate workstations and servers that reside in there specific OU in Active Directory. This means create collections, import computers, deploy software, OSD, install clients, reporting, inventory.. etc. Basically anything an administrator would need to manage computers and servers. Stuff like site integration and boundary groups etc, will be done by the service sysadmins. What I've done so far: I've used RBAviewer to create two new rolls: OU Read Only Admin, OU Admins Specific Scope Imported all computers in each of the OU's to ORG collections (ORG - OU Systems), and assigned admin users and scoped them to the ORG collections. Created security scopes for each OU and associated users to those scopes. This all seems to be working well so far, but I know I am missing a few things for example client settings. Another thing I am trying to figure out is how I can scope 'Import Computer Information' so that when someone imports information it will actually go to their OU. Right now, even if I select a specific collection the computer information always ends up in All Systems and/or Devices. I know I can't be the first one setting this up. If anyone has a good write-up or a list of permissions that one would typically delegate in this situation that would be great! As always, if I left anything out let me know and I can provide more information. Thank you. Quote Share this post Link to post Share on other sites More sharing options...
draker Posted October 20, 2014 Report post Posted October 20, 2014 Also, I'm trying to find info about SMB shares on the site server. What other servers need access to these shares? I am going to firewall them off as needed. I am guessing OU admins may want access to the \\site-server\SMS_101\Logs directory at least and possibly a few more. Any advise here? Thanks! Quote Share this post Link to post Share on other sites More sharing options...
ludi2014 Posted October 21, 2014 Report post Posted October 21, 2014 Can you please take some picture of your setup with role in sccm. I think this kan help you with 'Import Computer Information' http://blogs.technet.com/b/inside_osd/archive/2012/04/30/custom-role-based-administration-for-importing-computers.aspx kind regard sg http://www.learnmesccm.com/ https://www.linkedin.com/pub/safet-grahic/a0/842/b21 Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted October 21, 2014 Report post Posted October 21, 2014 This is sort of a PITA to accomplish but it is how we are running here with 250+ OUs each needing this. We have done it via security scopes, custom roles, and limiting collections. For example. OU1 needs rights to OU1 PCs and has to be able to deploy Corporate pakcages,make their own, but not modify corporate packages. Also needs to be able to import computers. I can provide more details, but in general. Create a role for 'read' access and assign it to the 'read' scope you will be creating. This gets assigned to the user under the Security Scopes tab > Associate assigned security..... menu. Create a role for 'write' and assign it to the security scope you create for the OU. Assign the OU top most level collection to this. Create a role for import computers. default scope is ok. Assign it to the limiting collection for that OU. The limiting collection should be based off of all systems. We query machines like so. We only import computers for imaging purposes. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.ResourceId not in (select SMS_R_System.ResourceId from SMS_R_System where SMS_R_System.Client = 1) and SMS_R_System.AgentName like "%Manual%" and SMS_R_System.Name like "%OU GOES HERE%") That says give it to OU if manual build and no sccm client. We also have a role for distributing content to the DP and a scope to go along with that. This can probably be done simpler, but we decided to segregate some of the roles, we feel if anything needs to be changed going forward this may be easier on us. I can provide screen shots and more details if you want. Quote Share this post Link to post Share on other sites More sharing options...
ludi2014 Posted October 21, 2014 Report post Posted October 21, 2014 Please take some screenshot..... Quote Share this post Link to post Share on other sites More sharing options...
draker Posted October 21, 2014 Report post Posted October 21, 2014 Thanks for the input so far. I'll post what I have setup so far. It sounds very similar. btw, I'll try that query.OU Admin Read Only Permissions:Permissions assigned to: OU Admins Specific Scope Rolls Assigned to OU Admin: Quote Share this post Link to post Share on other sites More sharing options...
draker Posted October 21, 2014 Report post Posted October 21, 2014 For the computer import role: Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted October 22, 2014 Report post Posted October 22, 2014 Yeah it looks along the same lines. I will post details later today. 1 Quote Share this post Link to post Share on other sites More sharing options...
draker Posted October 22, 2014 Report post Posted October 22, 2014 I would love to compare them side by side. Also, I've got some other questions for you regarding delegation. But I'll wait until I can compare. Quote Share this post Link to post Share on other sites More sharing options...
ludi2014 Posted October 22, 2014 Report post Posted October 22, 2014 hello boys Can you confirm that your setup with collections looks like this. Kind regards SG www.learnmesccm.com Quote Share this post Link to post Share on other sites More sharing options...
