Hey, here’s Martin again.
You often come across to the requirement, that you have give access to users to the System Center 2012 Configuration Manager Console, that they can add new Computers to the Hierarchy to stage them with a Task Sequence. They only have to add them to a specific collection, nothing more: with Role based Administration not a problem. But when you try to achieve this, you will often end up, that the users will have rights on the All Systems Collection, which you want to avoid when you Managing multiple sites or Servers and Workstations together. The Magic is behind the limiting collection.
That means, you will have to create a limiting collection, that you can use instead of the All System collection. Let me Show you how this is done, first I create a Role collection for all those Clients managed by the new role “ROL -All Clients for OSD”:
Create a query rule to add only the designated Computer object to this collection, I decided to take all Workstations, queried by Name:
Confirm the Settings and don’t forget to activate “Use incremental Updates for this collection”, mind that there is a non-Technical Limit of 200 collections on which incremental updates should be activated (See http://technet.microsoft.com/en-us/library/gg699372.aspx for further information):
With this, you can create the collection you need, and to which the users will add new Computers while using the SCCM Console by “Add Computer Information”. I will not Point out how to create another collection 🙂
After this is done, it is time to create the security role with permission for only the mentioned use. Those are the required permissions to add a Computer:
On the collections: Read; Modify; Modify Resource; Delete Resource; Read Resource
And on the site: Read; Import Computers
If this is done, you can add your user or Group to SCCM:
Add the designated security principal, the new limiting collection, and the collection to which the users should be able to add new devices. You can use the Default Security Scope:
With this configuration, user Jukebox is able to add new devices and make a Membership rule to the designated collection. On the left side you see the console opened with Jukebox and adding a new Device, on the right side you see the same hierachry from an admin view:
With this permission the user can:
-They only see those devices which resides in the limiting collection (in this example the “ROL -All Clients for OSD”)
– Add Computers and add them to one collection
– Delete resources from the two collections (Remove “Delete Resource” from collection permission if not wanted)
– Modify collection Name and Membership rules of the two collections
– Clear PXE Flags on the devices they see and on the two collections
blog.hosebei.ch 
Hi Matin
Thx for the documentation
But I have a quenstion , when I implement the above my test user (helpdesk user) can add the collection ROL -All Clients for OSD to collection OSD-Windows 8 SwissGerman
If there is a required deployment on collection OSD-Windows 8 SwissGerman all computer will be reimaged
Is there a way to avoid adding these collections
I hope you have a solution for this
regards
Johan
Hi Johan,
No sorry, I can’t find a solution for this.
Hi Johan.
To add to Martin’s response, as per the ConfigMan FAQ…
Can I deny access to objects and collections by using role-based administration?
——————————————————————————–
Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user.
http://technet.microsoft.com/en-us/library/gg682088.aspx
I hope that is what you were asking and hope it helps.
I also have a question for anyone who may know…..
Example:….under Collection..does the “Modify” permission mean the user can modify the properties of the collection, the membership or both? In Martin’s examples above the permissions under collection are “Read; Modify; Modify Resource; Delete Resource; Read Resource”. What if I want the user to be able to add resources to a collection but not be able to modify the properties of the collection (ie: limiting collection)?
although I am interested in the answer to the example, I can test that in the lab. My question is…Is anyone aware of any documentation which identifies what each permission specifically does?
The following link is a matrix of the SCCM 2012 RBAC permissions (Thank you Brent Dunsire) but it does not indication what each permission does? https://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96
Cheers
William
Modify means that users can change properties of collection (general, rule etc…) We do not want that users can change collection properties , because then will lost required purpose…
When I set this to “No” then users is not able add member to collection , even though when “Modify resources ” is set to “Yes”…
I think here is big hole 😦
Daniel
Hi Daniel,
you can always use uservoice to suggest new options/features:
https://configurationmanager.uservoice.com/forums/300492-ideas
Martin
Thanks….really good help!!
Hi MARTIN,
you had a script(open source) before which automatically imports a client into a sccm 2012. Can you still provide it and where can I copy it?
It should be on technet gallery, as far as I remember 🙂
But here you have it:
#Add-Computer.ps1
#Author: Martin Wüthrich, itnetx gmbh
#Important: Set your Site-Code
#The Script checks the MAC Address and Computer Name.
#It also checks if the computername is already in use
#—Start User Defined Variables
$SiteCode = “S01”
$CollectionFilter = “OSD – ”
#—End User Defined Variables
#—Script Defined Variables
#Import SCCM Module
$ModuleName = (get-item $env:SMS_ADMIN_UI_PATH).parent.FullName + “\ConfigurationManager.psd1″
Import-Module $ModuleName
CD $SiteCode”:”
$bMACValid = $False
$bPCValid = $false
$SMSProvider = (Get-CMSite -SiteCode $SiteCode).ServerName
#—Script Defined Variables
#—Start Functions
Function Validate-MACAddress {
param ([String]$MACAddress)
If ($MACAddress -notmatch ‘^([0-9a-fA-F]{2}[:-]{0,1}){5}[0-9a-fA-F]{2}$’) {
Write-Host “MAC Address is not valid!”
Return $False
}
Else{ Return $True }
}
function CustomInputBox([string] $title, [string] $message, [string] $defaultText) {
[System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’) | Out-Null
$fInputValue = [Microsoft.VisualBasic.Interaction]::InputBox(“$message”, “$title”, “$defaultText”)
Return $fInputValue
}
Function Validate-PCName([String]$vComptoValidate) {
If (Get-CMDevice -Name $vComptoValidate) {
Write-Host “Computername already in use: $vComptoValidate”
}
ElseIf ($vComptoValidate.Length -gt 15) {
Write-Host “Computername longer than 15 characters: $vComptoValidate”
}
Else { Return $True}
}
#—End Functions
#—Start Main Script
#Check for MAC
Do {
[String]$vMACtoValidate = CustomInputBox “MAC-Address” “Please enter the MAC-Address of the Computer.” “22:22:22:22:22:22/22-22-22-22-22-22/222222222222”
$vMACtoValidate = $vMACtoValidate -replace “-“,”:”
If($vMACtoValidate.Length -eq 12) {
$vMACtoValidate = $vMACtoValidate.Insert(2, “:”).Insert(5, “:”).Insert(8, “:”).Insert(11, “:”).Insert(14, “:”)
}
$bMACValid = Validate-MACAddress $vMACtoValidate
}
While ($bMACValid -ne $True)
#Check for Duplicate MAC-Adress
$MACInUse = (Get-WmiObject -ComputerName $SMSProvider -Class SMS_R_SYSTEM -Namespace root\sms\site_$SiteCode | where {$_.MACAddresses -eq $vMACtoValidate}).Name
If ($MACInUse) {
$WscriptShell = new-object -comobject wscript.shell
Write-Host “The MACAddress $vMACtoValidate is already in use on Computer $MACInUse”
$PopUpText = “The MACAddress $vMACtoValidate is already in use on Computer $MACInUse, are you sure to continue?”
$MACQuestioResult = $WscriptShell.popup($PopUpText,0,”MAC Address already in use!”,1)
If ($MACQuestioResult -eq 2) {
Write-Host “You selected to stop the script beacuse of doubled MAC Address”
exit
}
}
#Check for computername
Do {
[String]$vPCtoValidate = CustomInputBox “PC Name” “Please enter the Name of the Computer.” “”
If ($vPCtoValidate) {
$bPCValid = Validate-PCName $vPCtoValidate
}
Else {
Write-Host “You have not provided a computername, script will be terminated”
exit
}
}
While ($bPCValid -ne $True)
#Create Device
Import-CMComputerInformation -ComputerName $vPCtoValidate -MacAddress $vMACtoValidate -CollectionName “All Systems”
$oDevice = $null
Do{
#$oDevice = Get-CMDevice -Name $vPCtoValidate
#Using WMI Query rather than the PoSH cmdlets, because it is too slow
$oDevice = Get-WmiObject -ComputerName $SMSProvider -Namespace “Root\SMS\Site_$SiteCode” -Class SMS_R_SYSTEM -Filter “Name=’$vPCtoValidate'”
}
While($oDevice -eq $null)
#Get OSD Collections
$vCollections = Get-CMDeviceCollection | Select-Object Name,CollectionID | where-object {$_.Name -match $CollectionFilter} | Out-GridView -OutputMode Multiple -Title “Choose OSD Collections to add”
Foreach($vCollection in $vCollections) {
#Add the client to the collections
Add-CMDeviceCollectionDirectMembershipRule -CollectionId $vCollection.CollectionID -ResourceId $oDevice.ResourceID
}
THANKS!!