IT プロフェッショナルのための技術情報サイト >
フォーラム ホーム
>
Configuration Manager Admin Console
>
Security Rights in SCCM Console
Security Rights in SCCM Console
- I need some help fast. I found this link and we're in the same boat:
http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/thread/0da27e47-11a1-4f3b-be7a-11cf6a30875f/
We are trying to set it up to where they can only advertise to a collection and view the contents of the said collection. So, we have a collection based on all computers in our domain. Then, I have another collection they need to add computers into using "Computer Association" and remove computers, but I can't seem to tweek any of it just right.
The problem is when I add that group and it creates two instances for the Collections:
"INT\Helpdesk" "Collection" "(All Instances)" "No Permissions"
"INT\Helpdesk" "Collection" "DOMAIN" "Read, Use remote tools, Advertise, View collected files, Read resource"
The problem is that I can't see anything. I see where I can expand Site Database > Computer Management > Collections > DOMAIN, but under that, I see the two Collections that I am allowed to see, but I see nothing under them, as in, there are no computers listed and I can't see their sub-collections.
How can I get that fixed and be able to have them send advertisements to the 2 collections I need them to (1 collection being a parent of many sub collections) and be able to add computers with Computer Association to 1 collection called "Imaging/Reimaging"?
回答
- Since this has gone on for months now, can I suggest that you open a case with CSS to get this resolved more quickly than us going back and forth on it?
Wally Mead- 回答としてマークboydgrossii 2010年2月5日 17:04
すべての返信
- You also need to add the group INT\Helpdesk to the local group SMS Admins. See this for details:
http://technet.microsoft.com/en-us/library/bb680510.aspx - Is that an account withing SCCM or in Active Directory?
Edit: There is an SMS Administrators group in AD, but what kind of rights to the console would that give that user? Would they have the ability to edit their own security rights? - The "SMS Admins" group is local unless the sccm server is also a domain controller. If so it's a domain local group.
The ad group SMS Administrators is probably something someone in your company have created. - The SMS Administrators looks like a group created by our company.
How would I add the Helpdesk into the SMS Admins? I'm very new to this product and apologize for my noobness. Is it something in the computer management on the server? - You have an AD group called INT\Helpdesk? Just add it to the local security group "<sccm server>\SMS Admins" on the sccm server you want members of Helpdesk to manage.
- Ah. Okay. I'll try that.
I just looked and "INT\Helpdesk" is in that group. I've added my regular user in there as well and I still can't get it to only show the collections that I need with the contents of that collection.
- Ok, let's start from scratch :)
First of all, since you just want to add rights to some collections you need to use instance rights. These are not recursive so you need to add rights to every single one even if some are subcollections of others. Go to Site Database -> Security Rights. Right click Users, choose Manage ConfigMgr Users. Click Next, Modify exixting user, choose INT\Helpdesk. If it doesn't show in the menu, choose Add a new user instead and add INT\Helpdesk. Click Next. Choose Add another right..., click next. Choose Class Collection and as Instance, choose the collection in question. The rights you need to add, if I have understood your needs correctly, are:
- Advertise
- Read
- Read resource
Click next and choose Add another right... Repeat as above for every collection. When done with the collections, you have to add rights for the class Advertisements (You have to do this on class level since they will be creating new advertisements). The need at least Create, consider Read.
Last, for class Computer association, give right to Create. I will try that.
A question: I have one collection with many sub-collections, so when I add the parent collection, should I be able to see the collections under it with the computers that are in that collection, or should I add each sub-collection?
Here is a screenshot of the parent collection and its sub-collections. Now, under those, there are many, many collections for each department.
Is there a way to cover the parent collection and it go down to the child collections?
http://imagebin.org/59472
Edit: What does the "View Collected Files" permission do?- 編集済みboydgrossii 2009年8月13日 21:08
- I don't think so, but it's easy to try :)
I can get it to show the child collection to which ever one I make the instance for. The problem now is 2 things:
1: That would be a huge inconvenience to have to do that for each collection.
2: I can't see the computers that are in that collection with my account that is setup like Helpdesk.
The collections are setup to mirror our AD organization.
Example: Domain > CNHQ > Division > Main Department > Sub Departments > Computer
Edit: Here's a screenshot of my 'regular' user setup.
http://imagebin.org/59475Sorry, I just have to ask: You've pressed F5 since the change I hope?
- LOL! Yes :(
- That's what I was afraid of ;-) I'll see if I can test this tomorrow, don't have a server to do so here...
- I'm almost out of here today. I won't be in tomorrow, but I will check it Monday.
- Is this still an issue? It has been almost three months with no update.
Wally Mead - This is still an issue. I'm trying to tinker with everything I can think of, but I'm still very new to this. It seems that one tech can use this from a different computer and the other 2 techs don't have access to another computer, so I haven't been able to test it with them.
The problem is that I can't see anything. I see where I can expand Site Database > Computer Management > Collections > DOMAIN, but under that, I see the two Collections that I am allowed to see, but I see nothing under them, as in, there are no computers listed and I can't see their sub-collections.
How can I get that fixed and be able to have them send advertisements to the 2 collections I need them to (1 collection being a parent of many sub collections) and be able to add computers with Computer Association to 1 collection called "Imaging/Reimaging"?
Let's start with your original questions:
- You have to add rights to every single collection, there is no inheritance when using instance rights.
- To see the contents of the collections, you need to add the "Read resource" right.
- To add computers to a collection I believe you need to add the "Modify resource" right.- I do have Read rights on the parent collections or "All Instances". I noticed that if I wanted to take a read right away from a collection, then it wants to take this away from "All Instances" and then they definately can't see anything.
We had a document where we could setup templates (or something like that) and when a user opens SCCM, they only see what we have setup for them to see, so instead of seeing every collection, they only see the collections we allow them to see through the template.
What I would like to do is have them see the collection they need to see without seeing every other collection so that they can modify their collection to how they want to without seeing everything that everyone else is doing. You must decide if you want to use Instance or Class rights for the group Helpdesk. You can't use class rights and then remove one of those rights on an instance of the same class.
- What I kept running into is if I took off the rights to the class to read, it would say that it had to do that on "All Instances" and so I couldn't do take off the read rights.
- I'm tempted to say "of course"... The class "Collection" includes all collection instances. Let's say you have collections A, B and C. If you add the class right "read" for class "Collection" then you would have read permissions for A, B and C. If you want read rights for just A and B then you'll have to remove the class rights entirely and add instance rights for A and B. There is no no way to set rights for the class with exeptions for some instances.
- I tried doing that, but the problem I had was that the collection would show up, but I couldn't see anything within the collection and I couldn't see the sub-collections.
- To see subcollections you need to add rights to each and every one. There is no workaround when using instance rights.
- So if I take out the class rights and add the full control to each instance they need, that would work?
- I have a set of collections that spans like so:
Computer Management
Collections
CNHD
Ada
Ardmore
Duncan
I have granted my test user all rights on CNHD, Ada, Ardmore, and Duncan, but I can't see anything beyond "Collections", so would I would have to give read rights on the "Collections" and then take the read rights out of the individual collections we don't want them to see? If you use instance rights there is no need to remove enything from the collections you don't want someone to see.
And yes, you need read rights on Collections to see CNHD. Maybe also "Read Resource", but try with just "Read" first.- We read something on setting up individual consoles for user groups and it would only show something for each group that opens the SCCM Console. Does anyone know anything about that?
You can read how to in this post:
http://technet.microsoft.com/en-us/library/bb680691.aspx
You will still have to delegate rights as mentioned above.- Hi !
I've run into a similar issue.
I can not see any advertisements after upgrading to SP2.
What I did was installing the AdminConsole on a client computer, and there it worked fine.
Since I'm using the Console via TS Web, i'm now waiting for my Server team to reinstall the console on those servers.
I'd recommend you try to install the Adminconsole on a workstation that does not have it installed already to see if this solves your issue.
@Erik: So, I have to grant instance rights and not class rights for me to be able to see everything I need to, correct?
I have two user accounts: A super user and a regular user. I can set this up for my super user and test it out. Is there a fast way I can do this? What rights do I need to give my test account?You can read how to in this post:
http://technet.microsoft.com/en-us/library/bb680691.aspx
You will still have to delegate rights as mentioned above.
Update: I just tried that Erik and I wasn't able to select what Collections I was able to view. Is that because I haven't set the rights in SCCM yet? If so, what rights to I need to set?- First you need to give the right permissions in sccm as discussed above.
Then you create a custom console according to the link above, where you only choose the features you want/have permissions for. - Okay, just for testing, I've taken a collection called CNHD. I took myself out of the the "Class Security" for the "collections" and then went to CNHD and all of its sub-collections and granted my test user full rights and then made that custom console through mmc and I still can't see anything.
Edit: Location for screenshot: http://imagebin.org/83037 - Since this has gone on for months now, can I suggest that you open a case with CSS to get this resolved more quickly than us going back and forth on it?
Wally Mead- 回答としてマークboydgrossii 2010年2月5日 17:04
Since this has gone on for months now, can I suggest that you open a case with CSS to get this resolved more quickly than us going back and forth on it?
Wally Mead
I think this would be the best idea. It doesn't appear that this has been done yet.
