barnold Posted December 5, 2012 Report post Posted December 5, 2012 Hello All, I'm currently banging my head against a problem that I'm sure has a simple solution that I just can't see through the weeds right now. Thus I'm turning to you other gurus to see if you can help open my eyes! First, a little background: as I'm sure is common, we have one primary site (no CAS) and I have several divisions who all are their own Config Manager administrators for their own areas. Thus, I've been thankful for Roll Based Administration in Config Manager 2012 to give me better control over the granular security necessary to accomplish this without utilizing separate sites for each political unit. I've run into a snag with importing new computers by MAC address and Computer Name though. The new collection system holds that each collection has to be limited by another. I don't want to give access to "All Systems" to each Config Manager admin, so I create their own "root collection" which is based off of an AD query of their division's root OU in Active Directory. I then directly assign this collection to them in place of "All Systems" using the security section of the Administration work space. However, it turns out that Microsoft says no one can "modify" or "delete" a collection that is directly assigned to them in this fashion, which in turn means they cannot import new machines (via right-clicking on devices and choosing "import computer information"). They also can't import new machines into "All Systems" because they don't have those privileges. Therefore, they are stuck. Like I said, I'm sure this situation has to have an easy answer that I'm missing. Can anyone provide some insight here? Can I grant these departmental admins just enough rights to "All Systems" to read that collection and also to import new computers to it but nothing else (i.e. I can't let them deploy to it). Thanks in advance for any insight the community can provide! Regards, Ben Quote Share this post Link to post Share on other sites More sharing options...
Tay Posted December 5, 2012 Report post Posted December 5, 2012 Why are you manually adding computers? You are using a query to pull comps from the OU right? This should all be automatic and would only require your admins to click on update membership. Quote Share this post Link to post Share on other sites More sharing options...
barnold Posted December 5, 2012 Report post Posted December 5, 2012 That's a good point Tay. We manually import computers when we get new machines not before in our organization. We manually import them so that we can then PXE boot for re-imaging purposes. True, their root collection is query-based, but they create all kinds of direct membership collections and manually add new machines in to any number of other locations. Quote Share this post Link to post Share on other sites More sharing options...
Tay Posted December 5, 2012 Report post Posted December 5, 2012 You could create a PXE VLAN separate from your network just for the ports that are used to re-image. Then assign your O/S task sequences to the All Unknown computers collection. VLAN so your guys don't accidentally image the whole company and unknown collection will detect any new devices so you won't have to deal with mac addresses. I use USB to PXE boot so I don't know if it would work in your environment. Maybe someone can shed some light on automating PXE from network. I thought they did away with manually adding new comps in 2012 but I can't verify. Quote Share this post Link to post Share on other sites More sharing options...
barnold Posted December 6, 2012 Report post Posted December 6, 2012 They definitely didn't get rid of manually adding new computer information in 2012, anyweb has a guide on it on this site. I'll dig it up and link it here. Quote Share this post Link to post Share on other sites More sharing options...
barnold Posted December 6, 2012 Report post Posted December 6, 2012 Here's the link I was looking for. Anyway, I can import machines manually just fine as the full administrator for our entire primary site. The people to whom I've delegated smaller sections of control (i.e. several security roles, a custom security scope, and their own custom "root" collection) can't import machines because they can't import into the collection I've directly assigned them nor can they import into "all systems." I'm stumped. I appreciate the thought Tay, but your solution seems a bit more complicated than I'd like to tackle if only because it involves getting the networking team involved. Quote Share this post Link to post Share on other sites More sharing options...
barnold Posted December 7, 2012 Report post Posted December 7, 2012 For those that may be interested, I did find a blog post finally that gets me a little closer towards my goal. Here is the link for those that might like to read through it. Quote Share this post Link to post Share on other sites More sharing options...