FromTheUnderground Posted October 30, 2014 Report post Posted October 30, 2014 (edited) I am looking for some assistance with security permissions on device collections. We have several small IT departments that manage their own computers all connected into our primary AD domain and SCCM site. I currently have device collections with their limiting collection as "All Systems" built out pointing directly to each distributed IT department's Active Directory OU. This allows the distributed IT admins full control over their machines within their AD OU, but prevents them from seeing or managing computers in another department's AD OU. The issue I have run into is I want to allow each of these groups to manually import computers using a csv file for bare metal deployment. In our environment, we cannot enable deploying to unknown computers. I have created a collection off of All Systems called "All Imported Systems" that lists all systems that were manually imported. Is there a way I can allow all users read access to this collection AND be able to use this collection as the limiting collection? I have parts of this completed but I think I am missing a step somewhere. OR If there is a way to give a group the ability to manage the membership of a collection without giving them the ability to change the limiting collection. Let me know if I need to supply any more information on the environment or what I am trying to accomplish. Thank you all in advance. Josh Edited October 30, 2014 by FromTheUnderground Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted October 30, 2014 Report post Posted October 30, 2014 If you can modify a collection you can also change the limiting collection. Why do you use a separate collection to import your computers to? Quote Share this post Link to post Share on other sites More sharing options...
ludi2014 Posted November 3, 2014 Report post Posted November 3, 2014 I think if you wont separate role or collections like server-client Here is eksample i posted last week: http://www.windows-noob.com/forums/index.php?/topic/11482-admin-delegation-per-ou/ kind regard sg http://www.learnmesccm.com/ https://www.linkedin...ahic/a0/842/b21 Quote Share this post Link to post Share on other sites More sharing options...
FromTheUnderground Posted November 21, 2014 Report post Posted November 21, 2014 I found a solution that works for my environment. I created a collection "All Imported Systems" that lists all computers that have been manually imported. I then created a collection for each of our area admins (based on OU permissions within AD) and created a security role specifically to these newly created collections. I got the idea from Michael Lucero - Austin from another forum. "Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question. Create a new collection that is a copy of your collection limiting collection mentioned above. Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection. Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection. Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget to add your security scope. Apply the changes and test - don't forget to restart the console of your test account. This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish. It does NOT allow modify on the limiting collection. And it separates the specific collections you tag as being modifiable by the specified group. We had the same issue in our environment - need a specific group to be able to Add Resource to a single specific collection which was being limited by the All Workstations collection. Allowing modify to the All Workstations collection allowed modifications to any collection limited by All Workstations. So I came up with the solution above, tested against my test accounts and it works as I needed. Hopefully this will solve your issue and give you some options going forward." Quote Share this post Link to post Share on other sites More sharing options...
bhushan.r.patil Posted November 20, 2019 Report post Posted November 20, 2019 On 11/22/2014 at 12:37 AM, FromTheUnderground said: I found a solution that works for my environment. I created a collection "All Imported Systems" that lists all computers that have been manually imported. I then created a collection for each of our area admins (based on OU permissions within AD) and created a security role specifically to these newly created collections. I got the idea from Michael Lucero - Austin from another forum. "Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question. Create a new collection that is a copy of your collection limiting collection mentioned above. Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection. Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection. Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget to add your security scope. Apply the changes and test - don't forget to restart the console of your test account. This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish. It does NOT allow modify on the limiting collection. And it separates the specific collections you tag as being modifiable by the specified group. We had the same issue in our environment - need a specific group to be able to Add Resource to a single specific collection which was being limited by the All Workstations collection. Allowing modify to the All Workstations collection allowed modifications to any collection limited by All Workstations. So I came up with the solution above, tested against my test accounts and it works as I needed. Hopefully this will solve your issue and give you some options going forward." Bit confused.. I have "Collection1" which is limited to "All Systems". One Task sequence is advertised to "Collection1". Can I give permissions to "user1" only on "Collection1", to add/remove systems? Quote Share this post Link to post Share on other sites More sharing options...