Jump to content


FromTheUnderground

SCCM 2012 Collection Permissions

Recommended Posts

I am looking for some assistance with security permissions on device collections.


We have several small IT departments that manage their own computers all connected into our primary AD domain and SCCM site. I currently have device collections with their limiting collection as "All Systems" built out pointing directly to each distributed IT department's Active Directory OU. This allows the distributed IT admins full control over their machines within their AD OU, but prevents them from seeing or managing computers in another department's AD OU.


The issue I have run into is I want to allow each of these groups to manually import computers using a csv file for bare metal deployment. In our environment, we cannot enable deploying to unknown computers. I have created a collection off of All Systems called "All Imported Systems" that lists all systems that were manually imported. Is there a way I can allow all users read access to this collection AND be able to use this collection as the limiting collection? I have parts of this completed but I think I am missing a step somewhere.


OR


If there is a way to give a group the ability to manage the membership of a collection without giving them the ability to change the limiting collection.



Let me know if I need to supply any more information on the environment or what I am trying to accomplish.



Thank you all in advance.

Josh

Edited by FromTheUnderground

Share this post


Link to post
Share on other sites

I found a solution that works for my environment. I created a collection "All Imported Systems" that lists all computers that have been manually imported. I then created a collection for each of our area admins (based on OU permissions within AD) and created a security role specifically to these newly created collections. I got the idea from Michael Lucero - Austin from another forum.

 

"Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question.

  1. Create a new collection that is a copy of your collection limiting collection mentioned above.
  2. Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection.
  3. Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection.
  4. Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget to add your security scope.
  5. Apply the changes and test - don't forget to restart the console of your test account.

This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish. It does NOT allow modify on the limiting collection. And it separates the specific collections you tag as being modifiable by the specified group.

We had the same issue in our environment - need a specific group to be able to Add Resource to a single specific collection which was being limited by the All Workstations collection. Allowing modify to the All Workstations collection allowed modifications to any collection limited by All Workstations. So I came up with the solution above, tested against my test accounts and it works as I needed.

Hopefully this will solve your issue and give you some options going forward."

Share this post


Link to post
Share on other sites

On 11/22/2014 at 12:37 AM, FromTheUnderground said:

I found a solution that works for my environment. I created a collection "All Imported Systems" that lists all computers that have been manually imported. I then created a collection for each of our area admins (based on OU permissions within AD) and created a security role specifically to these newly created collections. I got the idea from Michael Lucero - Austin from another forum.

 

"Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question.

  1. Create a new collection that is a copy of your collection limiting collection mentioned above.
  2. Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection.
  3. Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection.
  4. Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget to add your security scope.
  5. Apply the changes and test - don't forget to restart the console of your test account.

This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish. It does NOT allow modify on the limiting collection. And it separates the specific collections you tag as being modifiable by the specified group.

We had the same issue in our environment - need a specific group to be able to Add Resource to a single specific collection which was being limited by the All Workstations collection. Allowing modify to the All Workstations collection allowed modifications to any collection limited by All Workstations. So I came up with the solution above, tested against my test accounts and it works as I needed.

Hopefully this will solve your issue and give you some options going forward."

Bit confused..

I have "Collection1" which is limited to "All Systems". One Task sequence is advertised to "Collection1". Can I give permissions to "user1" only on "Collection1", to add/remove systems?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.