Archive

Archive for the ‘SCCM Permissions’ Category

SCCM 2007 Role Based Permissions–Software Distribution

This post focuses on permissions to allow the distribution of software. I use this to enable support staff the ability to deploy very specific software. This in combination with Ron Crumbaker’s web remote tools found at http://www.myitforum.com/articles/19/view.asp?id=8662 is how I manage what the support staff has access to. Essentially, Ron’s tool references a top level collection and lists the sub collections as options for software to distribute. You can of course use the full console as well.

The key is that “Modify” permissions are required. Do not run out and give “Modify” permissions to everybody though…this allows the modification of direct membership and WQL queries. This is why I encourage the team to use the web console so they see only what they have permission to.

Please note that this is a pain in the you know what and needs to be combined with process…and it will only be as good as the process. But, if you have every had an oops that caused you pain you will be open to this.

Also, note that I keep this separate from the “SCCM Support” role because I make them go through training to earn the permissions. I can keep track easier this way.

  1. Create a security group in AD named “SCCM Software Distribution”
  2. Using credentials that have administrator access to SCCM open the full console
  3. Navigate to “System Center Configuration Manager – Site Database – Security Rights – Users”
    image_thumb[1]
  4. Right click on “Users” and select “Manage ConfigMgr Users”
    image_thumb[2]
  5. Click “Next”
    image_thumb[3]
  6. Click “Browse”
    image_thumb[7]
  7. Navigate to the “SCCM Software Distribution” group you created earlier
    Click “Next”
  8. Click on “Add another right or modify an existing one” and click “Next”
    image_thumb[8]
  9. For “Collection” – COLLECTIONNAME (where COLLECTIONNAME is a collection you want to grant permissions for add the following:
    – “Modify”
  10. Repeat for each collection
  11. Click “Next”
  12. Click “Next”
  13. Click “Close”
Advertisements
Categories: SCCM, SCCM Permissions

SCCM 2007 Role Based Permissions–Support

April 4, 2011 1 comment

This post focuses on setting permissions for a support role. This role will have read access to resources, read access to reports, the ability to remote control a user’s device, and abilities within the computer association feature for user state.

  1. Create a security group in AD named “SCCM Support”
  2. Using credentials that have administrator access to SCCM open the full console
  3. Navigate to “System Center Configuration Manager – Site Database – Security Rights – Users”
    image
  4. Right click on “Users” and select “Manage ConfigMgr Users”
    image
  5. Click “Next”
    image
  6. Click “Browse”
    image
  7. Navigate to the “SCCM Support” group you created earlier
    image
  8. Click “Next”
    image
  9. Click on “Add another right or modify an existing one” and click “Next”
    image
  10. For “Collection” – “(All Instances)” add the following:
    – “Delete resource”
    – “Modify resource”
    – “Read”
    – “Read resource”
    – “Use remote tools”
  11. For “Report” – “(All Instances)” add the following:
    – “Read”
  12. For “Computer association” – “(All Instances)” add the following:
    – “Create”
    – “Delete”
    – “Read”
    – “Recover user state”
  13. Click “Next”
  14. Click “Next”
  15. Click “Close”
Categories: SCCM, SCCM Permissions
%d bloggers like this: