When might you not use AD for assigning roles? RRS feed

  • Question

  • Hi, I am new to Service Center and over the past few days have read lots and reviewed many questions on the forums. As I understand it, it is best practice to use AD Security Groups when assigning users roles. 

    Is there a scenario where you could not use AD security groups?

    I am advising an organisation on security best practice for their SCCM implementation and would like to advise that all user roles should be assigned using AD security groups.

    Many thanks Paul

    Wednesday, February 19, 2014 6:23 AM

All replies

  • Hey

    You could assign ADDS user accounts directly to SCSM user roles, but as you stated, this is a bad practice in terms of managebility and visibility. Follow group nesting best practices and assign user to SCSM user roles by using the A-G-DL-P or A-G-G-DL-P concepts (or something similar). This also works nicely for multi-domain/forest scenarios.


    Marcel Zehner // Blog --> http://marcelzehner.ch // Twitter --> @marcelzehner // Business --> http://www.itnetx.ch

    Wednesday, February 19, 2014 7:41 AM
  • Hi,

    We've came across customers who had issues with too many levels of nested groups as members of a SCSM User Role. This makes the SQL server CPU to spike for several minutes during the implied permission calculations which happens once per hour. If you have a large amount of users this might actually kill your SQL performance for 10-20 minutes once per hour. Just something to bear in mind.

    I'll try to write a blogpost about this in the near future.


    Anders Asp | Lumagate | www.lumagate.com | Sweden | My blog: www.scsm.se

    Wednesday, February 19, 2014 10:59 PM