Hey, here’s Martin again.
You often come across to the requirement, that you have give access to users to the System Center 2012 Configuration Manager Console, that they can add new Computers to the Hierarchy to stage them with a Task Sequence. They only have to add them to a specific collection, nothing more: with Role based Administration not a problem. But when you try to achieve this, you will often end up, that the users will have rights on the All Systems Collection, which you want to avoid when you Managing multiple sites or Servers and Workstations together. The Magic is behind the limiting collection.
That means, you will have to create a limiting collection, that you can use instead of the All System collection. Let me Show you how this is done, first I create a Role collection for all those Clients managed by the new role “ROL -All Clients for OSD”:
Create a query rule to add only the designated Computer object to this collection, I decided to take all Workstations, queried by Name:
Confirm the Settings and don’t forget to activate “Use incremental Updates for this collection”, mind that there is a non-Technical Limit of 200 collections on which incremental updates should be activated (See http://technet.microsoft.com/en-us/library/gg699372.aspx for further information):
With this, you can create the collection you need, and to which the users will add new Computers while using the SCCM Console by “Add Computer Information”. I will not Point out how to create another collection 🙂
After this is done, it is time to create the security role with permission for only the mentioned use. Those are the required permissions to add a Computer:
On the collections: Read; Modify; Modify Resource; Delete Resource; Read Resource
And on the site: Read; Import Computers
If this is done, you can add your user or Group to SCCM:
Add the designated security principal, the new limiting collection, and the collection to which the users should be able to add new devices. You can use the Default Security Scope:
With this configuration, user Jukebox is able to add new devices and make a Membership rule to the designated collection. On the left side you see the console opened with Jukebox and adding a new Device, on the right side you see the same hierachry from an admin view:
With this permission the user can:
-They only see those devices which resides in the limiting collection (in this example the “ROL -All Clients for OSD”)
– Add Computers and add them to one collection
– Delete resources from the two collections (Remove “Delete Resource” from collection permission if not wanted)
– Modify collection Name and Membership rules of the two collections
– Clear PXE Flags on the devices they see and on the two collections
Leave a Reply to Ermin Alagic Cancel reply