SCCM 2012 – RBAC: Add computer to SCCM

Hey, here’s Martin again.

You often come across to the requirement, that you have give access to users to the System Center 2012 Configuration Manager Console, that they can add new Computers to the Hierarchy to stage them with a Task Sequence. They only have to add them to a specific collection, nothing more: with Role based Administration not a problem. But when you try to achieve this, you will often end up, that the users will have rights on the All Systems Collection, which you want to avoid when you Managing multiple sites or Servers and Workstations together. The Magic is behind the limiting collection.

That means, you will have to create a limiting collection, that you can use instead of the All System collection. Let me Show you how this is done, first I create a Role collection for all those Clients managed by the new role “ROL -All Clients for OSD”:
create limiting collection 01Create a query rule to add only the designated Computer object to this collection, I decided to take all Workstations, queried by Name:
QueryConfirm the Settings and don’t forget to activate “Use incremental Updates for this collection”, mind that there is a non-Technical Limit of 200 collections on which incremental updates should be activated (See for further information):
CollectionWith this, you can create the collection you need, and to which the users will add new Computers while using the SCCM Console by “Add Computer Information”. I will not Point out how to create another collection 🙂

After this is done, it is time to create the security role with permission for only the mentioned use. Those are the required permissions to add a Computer:
On the collections: Read; Modify; Modify Resource; Delete Resource; Read Resource
RBAC Collection permissionAnd on the site: Read; Import Computers
RBAC site permissions
If this is done, you can add your user or Group to SCCM:
Add security principalAdd the designated security principal, the new limiting collection, and the collection to which the users should be able to add new devices. You can use the Default Security Scope:
add user or groupWith this configuration, user Jukebox is able to add new devices and make a Membership rule to the designated collection. On the left side you see the console opened with Jukebox and adding a new Device, on the right side you see the same hierachry from an admin view:
Console add computerWith this permission the user can:
-They only see those devices which resides in the limiting collection (in this example the “ROL -All Clients for OSD”)
– Add Computers and add them to one collection
– Delete resources from the two collections (Remove “Delete Resource” from collection permission if not wanted)
– Modify collection Name and Membership rules of the two collections
– Clear PXE Flags on the devices they see and on the two collections

9 thoughts on “SCCM 2012 – RBAC: Add computer to SCCM

  1. Hi Matin
    Thx for the documentation
    But I have a quenstion , when I implement the above my test user (helpdesk user) can add the collection ROL -All Clients for OSD to collection OSD-Windows 8 SwissGerman
    If there is a required deployment on collection OSD-Windows 8 SwissGerman all computer will be reimaged
    Is there a way to avoid adding these collections
    I hope you have a solution for this



  2. Hi Johan.

    To add to Martin’s response, as per the ConfigMan FAQ…

    Can I deny access to objects and collections by using role-based administration?
    Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user.

    I hope that is what you were asking and hope it helps.

    I also have a question for anyone who may know…..
    Example:….under Collection..does the “Modify” permission mean the user can modify the properties of the collection, the membership or both? In Martin’s examples above the permissions under collection are “Read; Modify; Modify Resource; Delete Resource; Read Resource”. What if I want the user to be able to add resources to a collection but not be able to modify the properties of the collection (ie: limiting collection)?

    although I am interested in the answer to the example, I can test that in the lab. My question is…Is anyone aware of any documentation which identifies what each permission specifically does?

    The following link is a matrix of the SCCM 2012 RBAC permissions (Thank you Brent Dunsire) but it does not indication what each permission does?


  3. Hi MARTIN,

    you had a script(open source) before which automatically imports a client into a sccm 2012. Can you still provide it and where can I copy it?

    • It should be on technet gallery, as far as I remember 🙂
      But here you have it:
      #Author: Martin Wüthrich, itnetx gmbh
      #Important: Set your Site-Code

      #The Script checks the MAC Address and Computer Name.
      #It also checks if the computername is already in use

      #—Start User Defined Variables
      $SiteCode = “S01”
      $CollectionFilter = “OSD – ”

      #—End User Defined Variables

      #—Script Defined Variables
      #Import SCCM Module
      $ModuleName = (get-item $env:SMS_ADMIN_UI_PATH).parent.FullName + “\ConfigurationManager.psd1″
      Import-Module $ModuleName
      CD $SiteCode”:”

      $bMACValid = $False
      $bPCValid = $false

      $SMSProvider = (Get-CMSite -SiteCode $SiteCode).ServerName

      #—Script Defined Variables

      #—Start Functions
      Function Validate-MACAddress {
      param ([String]$MACAddress)
      If ($MACAddress -notmatch ‘^([0-9a-fA-F]{2}[:-]{0,1}){5}[0-9a-fA-F]{2}$’) {
      Write-Host “MAC Address is not valid!”
      Return $False
      Else{ Return $True }

      function CustomInputBox([string] $title, [string] $message, [string] $defaultText) {
      [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’) | Out-Null
      $fInputValue = [Microsoft.VisualBasic.Interaction]::InputBox(“$message”, “$title”, “$defaultText”)

      Return $fInputValue

      Function Validate-PCName([String]$vComptoValidate) {
      If (Get-CMDevice -Name $vComptoValidate) {
      Write-Host “Computername already in use: $vComptoValidate”
      ElseIf ($vComptoValidate.Length -gt 15) {
      Write-Host “Computername longer than 15 characters: $vComptoValidate”
      Else { Return $True}

      #—End Functions

      #—Start Main Script

      #Check for MAC
      Do {
      [String]$vMACtoValidate = CustomInputBox “MAC-Address” “Please enter the MAC-Address of the Computer.” “22:22:22:22:22:22/22-22-22-22-22-22/222222222222”
      $vMACtoValidate = $vMACtoValidate -replace “-“,”:”
      If($vMACtoValidate.Length -eq 12) {
      $vMACtoValidate = $vMACtoValidate.Insert(2, “:”).Insert(5, “:”).Insert(8, “:”).Insert(11, “:”).Insert(14, “:”)

      $bMACValid = Validate-MACAddress $vMACtoValidate

      While ($bMACValid -ne $True)

      #Check for Duplicate MAC-Adress
      $MACInUse = (Get-WmiObject -ComputerName $SMSProvider -Class SMS_R_SYSTEM -Namespace root\sms\site_$SiteCode | where {$_.MACAddresses -eq $vMACtoValidate}).Name
      If ($MACInUse) {
      $WscriptShell = new-object -comobject
      Write-Host “The MACAddress $vMACtoValidate is already in use on Computer $MACInUse”
      $PopUpText = “The MACAddress $vMACtoValidate is already in use on Computer $MACInUse, are you sure to continue?”
      $MACQuestioResult = $WscriptShell.popup($PopUpText,0,”MAC Address already in use!”,1)
      If ($MACQuestioResult -eq 2) {
      Write-Host “You selected to stop the script beacuse of doubled MAC Address”


      #Check for computername
      Do {
      [String]$vPCtoValidate = CustomInputBox “PC Name” “Please enter the Name of the Computer.” “”
      If ($vPCtoValidate) {
      $bPCValid = Validate-PCName $vPCtoValidate
      Else {
      Write-Host “You have not provided a computername, script will be terminated”

      While ($bPCValid -ne $True)

      #Create Device
      Import-CMComputerInformation -ComputerName $vPCtoValidate -MacAddress $vMACtoValidate -CollectionName “All Systems”
      $oDevice = $null
      #$oDevice = Get-CMDevice -Name $vPCtoValidate
      #Using WMI Query rather than the PoSH cmdlets, because it is too slow
      $oDevice = Get-WmiObject -ComputerName $SMSProvider -Namespace “Root\SMS\Site_$SiteCode” -Class SMS_R_SYSTEM -Filter “Name=’$vPCtoValidate'”

      While($oDevice -eq $null)

      #Get OSD Collections
      $vCollections = Get-CMDeviceCollection | Select-Object Name,CollectionID | where-object {$_.Name -match $CollectionFilter} | Out-GridView -OutputMode Multiple -Title “Choose OSD Collections to add”

      Foreach($vCollection in $vCollections) {
      #Add the client to the collections
      Add-CMDeviceCollectionDirectMembershipRule -CollectionId $vCollection.CollectionID -ResourceId $oDevice.ResourceID


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.