Snakebyte Posted October 28, 2015 Report post Posted October 28, 2015 I am an administrator of a large network that is slowly being merged into being managed by SCCM 2012. Currently Updates, SCEP, Application deployment, general troubleshooting, Compliance Rules, etc. are in use, and we're almost to the point of using OSD (several good tests with a few different images). Throughout the process, we've been assigning security to allow our Helpdesk to deploy images, and they already have the capability deploy software packages. They had been in charge of updates and SCEP patching, but they fell behind and now the Sys Admin team is handling all patching, to include SCEP. They currently do not have the ability to create/edit/deploy task sequences, OS images, drivers packs, compliance rules, they cannot edit or create collections, etc. All my previous experience has been that these items fell under an administrator role, not a helpdesk role. Management, and some political power grabbing has created a swing in SCCM security that may require that we provide the following to be administered by the helpdesk: Create/Edit/Delete/Deploy Collections (both user and Device) Create/Edit/Delete/Deploy Reports Create/Edit/Delete/Deploy Task Sequences Create/Edit/Delete/Deploy Compliance Rules Create/Edit/Delete/Deploy Software Applications Create/Edit/Delete/Deploy Software Updates Create/Edit/Delete/Deploy Desktop SCCM Policies Create/Edit/Delete/Deploy Antimalware Policies Create/Edit/Delete/Deploy Operating System Images and Bootable PXE Environments The only way I can think to do this with our current architecture, and stills plit off desktops and servers is to build a CAS server with two different Primary Site Servers (we are a One Primary Site server setup), and split the roles across servers using boundaries to ensure that servers are not being managed by the helpdesk group, and that desktops are not being managed by the server group. So my questions are these: Is this viable (is this nuts?) Is this secure Will this provide the level of accountability needed to allow two groups that are literally in different buildings to run their appropriate systems without crossover nuightmares Does this present a risk for system-wide disaster (Server wipe from errant Task Sequence/OSD) Are there other ways to do it if this is not suggested, and where can I find the docs (whitepapers, etc.) Does this follow Microsoft best practice for roles within SCCM Does anyone have any knowledge of articles where this was done and worked, or did not work. Any and all help is appreciated. Jay Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted October 28, 2015 Report post Posted October 28, 2015 That is indeed nuts. A CAS will not help you with your security boundaries. You might want to think about scoping objects so they can only access anything related to desktops. Quote Share this post Link to post Share on other sites More sharing options...