SCCM 1606 - No Full Admnistrator Role Access !

[stuart]

This is a strange one so sorry for the long post

I upgrade my SCCM 1602 to 1606 six days ago. The upgrade went fine, no errors after the upgrade and I thought it was job done.

Two days ago I noticed when I opened the SCCM console I did not have all the menu options when I right clicked a device / collection and lots of things were greyed out. I double checked and the user I am running the console is in the AD group that is assigned the Full Administrator Role. I checked with another user who should also have Full Administrator access and they too have restricted access.

I have spent the last day trying to resolve this issue and cant seem to find anyway to fix it. I need to get Full Adminstrator Role access back or the whole thing is useless. I have checked and double checked the AD groups. The SCCM Console tells me in Security that my AD group is asigned Full Administrator Role however I cant just get that access.

Another user who I created a custom role for to allow them to delete devices can still do this (delete devices). So that custom role is translating correctly the AD group membership.

As part of my investgations I rolled the SCCM site database back to three days ago. After the restore I logged into the console and all looked OK again. I had Full Administrator access again. But only for a few minutes. After about a minute in the console I tried to assign a new AD group to a new Security Role and it told me I didn't have access. And when I right click all the menu options have gone or are greyed out again. How does that happen ? In fact I did this three times today, rolled the db back, launched the console, had Full Administrator rights for about a minute then didn't.

I have google searched for hours but cannot find anything similar. I am hoping someone has maybe seen this and can help.

Our SCCM server and SQL are on the same box and are physical. I do have a backup of the the 1602 site environment however I am reluctant to go back. Partly because I have never done this before and the fact the box is physical, would I need to wipe the server, give the same name and IP. repartition and do a Site Recovery ?

Thanks for any help.

Stuart

Edited September 30, 2016 by stuart

[anyweb]

is your console installed locally, or remotely ? did you also upgrade the console after the upgrade ?

[stuart]

Yes the console was upgraded. It happens running the console locally and remotely. I have a post on the MS forum here

 

https://social.technet.microsoft.com/Forums/en-US/b097d08a-a3c3-4122-bcac-2f562a81fc5c/full-administrator-roll-not-working?forum=ConfigMgrCBGeneral&prof=required