Security Scopes: All instances of the objects that are related to the assigned security roles greyed out RRS feed

  • Question

  • So the guy who built our SCCM server is no longer in the company and his AD account no longer exists.  I noticed in SCCM however his account as the "All instances of the objects that are related to the assigned security roles" is selected. however the option is greyed out for everyone else.

    This option is the one found under Administration/Security/Administrative Users select the user and open properties then select the Security Scopes tab.

    Is there a way we can provide another user this same level access when we can no longer access through the original build account?
    Already looked into tombstone resurrection of his account thats a no go.

    Thursday, May 22, 2014 2:25 AM


All replies

  • Friday, May 23, 2014 5:28 AM
  • You could also try to run the Configuration Manager console with the SYSTEM account (via Psexec) and see if that gives you some more possibilities.

    My Blog:
    Follow me on twitter: pvanderwoude

    Friday, May 23, 2014 6:02 AM
  • Rebuild ended up being the only way to fix it.  Must set this at the start and then only this account can provide the rights to others.

    Good case for always use service accounts and not peoples logins for these.

    Wednesday, September 23, 2015 8:35 AM
  • This is an old thread, but we recently ran across this exact same scenario in our environment.  I did some digging around in the database because I did not want to rebuild SCCM, and I found an easy fix.  This is probably not the supported, so proceed at your own risk.  We have not had any adverse effects as a result of these changes on SCCM 2012 R2 SP1.

    The table that contains the admin user data is [dbo].[RBAC_Admins]  The key here is the SID linked to the AdminID of the old user.  You will want to update the table so that the new account SID replaces the SID for the Old AdminID that has the 'All' privilege.

    1. Go into SCCM and add the new user as an administrator so they appear in the [dbo].[RBAC_Admins] table.

    2. Modify and run the query below:

    DECLARE @Y varbinary(85)
    SET @Y = (Select [AdminSID] from [dbo].[RBAC_Admins] WHERE [AdminID] = <new admin sid>)
    UPDATE [dbo].[RBAC_Admins] 
       SET [AdminSID] = CONVERT(varbinary(85), @Y, 1),
       [LogonName] = '<new logon name ie domain\username>',
       [DisplayName] = '<new display name>'
     WHERE [AdminID] = <old admin sid>

    3.  Go into SCCM and remove the old/secondary record for the new user (they will show twice, one for the old user you replaced - keep this one, and one for when you added this user directly).

    4. You can then log in as that user and grant the 'All' rights to whoever you need.

    • Edited by SeedTech Friday, November 6, 2015 12:06 AM
    • Proposed as answer by Troutp2 Friday, April 19, 2019 5:02 PM
    Friday, November 6, 2015 12:05 AM
  • This is really helped me a lot. Thanks for the post Seedtech. You saved my time for rebuilding SCCM infra.


    Tuesday, May 16, 2017 5:37 AM
  • i didnt do it.  can you give more informatin. 

    Sunday, January 6, 2019 11:06 AM
  • Here we are 4 years later and this just helped a ton! Thanks!
    Friday, April 19, 2019 5:03 PM