SheilaA2 Posted December 26, 2012 Report post Posted December 26, 2012 We have a pretty basic SCCM 2012 setup for now with a single primary site with AD intergration. Things are working great but we are at the point where we would like to begin implementing security for the rest of the IT staff. I'm hoping that someone can help me with an issue that I'm having or suggest a better way of doing things. I'm new to the SCCM world and am learning as I go so if you need to ask any additional questions, please ask away. Basically, we are implementing device collections based on software needs. So if a computer requires MS Project, we have a collection to which that application has been deployed to. We then add the computer resource to that collection. The issue that I'm having is from a security perspective. Essentually, we would like to be able to have our helpdesk staff add or remove resources from these collections based on their software needs. The only way that I've been able to achive this is to give them "modify" permissions on collections via a security role. The problem with this is that they are able to modify the collection properties. I don't want them to be able to do this.... What am I doing wrong or missing? Thank you for your time. Quote Share this post Link to post Share on other sites More sharing options...
kvineets Posted December 27, 2012 Report post Posted December 27, 2012 Create an AD group and link it with the collection with a SQL query , give access to your IT helpdesk for adding workstations to the AD group. 1 Quote Share this post Link to post Share on other sites More sharing options...
SheilaA2 Posted December 27, 2012 Report post Posted December 27, 2012 Not a bad idea but I'm not sure that it will work in my situation since a workstation can only belong to one AD group. Since there are various software packages/collections, a device or workstation will need to belong to multiple collections. Quote Share this post Link to post Share on other sites More sharing options...
Peter33 Posted December 27, 2012 Report post Posted December 27, 2012 Not a bad idea but I'm not sure that it will work in my situation since a workstation can only belong to one AD group. A computer object can be a member of round about 1000 groups. (at least) 1 Quote Share this post Link to post Share on other sites More sharing options...
SheilaA2 Posted December 27, 2012 Report post Posted December 27, 2012 Oh my gosh... you are right... I was thinking OU! Thank you! I'm going to run this by the team to see what they think. Quote Share this post Link to post Share on other sites More sharing options...
narcoticmind Posted December 28, 2012 Report post Posted December 28, 2012 You could give a shot with this: http://www.windows-noob.com/forums/index.php?/topic/892-deploy-software-through-ad-groups-linked-to-collections-in-sccm/page__st__40#entry24739 Basicly you create two collections, one for the removal and one for the install and everything is handled through computer account's AD group membership. Depending on your environment (big, medium, small) you should see if there are any performance hits with this approach. Quote Share this post Link to post Share on other sites More sharing options...
