Giving Domain Computers change permissions on SCCM collection RRS feed

  • Question

  • I want give "Domain\Domain Computers" change permissions on a SCCM collection so I dont have to provide a username and password in the computer startup script;

    Set lLocator = CreateObject("WbemScripting.SWbemLocator")
    Set gService = lLocator.ConnectServer(SMSServer, "Root\SMS\Site_" & SMSSiteCode)

    But after giving the correct permissions on the collection instance I still get access denied. What do I have to do to give Domain Computers change access to a collection?

    Tuesday, February 23, 2010 3:38 PM

All replies

  • For this to work you would also have to make domain computers members of the group SMS Admins. Would I recommend it? No way.
    Tuesday, February 23, 2010 3:50 PM
  • I don't want to give full access to everything just one collection, it should be possible, should'nt it?
    Tuesday, February 23, 2010 3:54 PM
  • are you using LTI or ZTI? if you're using LTI you can simply use the MDT Username/password zti vars and pipe them into your little scriptlet after attaching ZTIUtility to it.  i do something similar to join AD Groups while not logged in as a domain user. It propogates the obfuscated credentials from the MDT environment and binds to a DC as the user who ran the deployment.  Completely secure and automatic.

    my only concern is:

     so I dont have to provide a username and password in the computer startup script;

    I'd need a bit more detail, i'm assuming this will work but it entirely depends on your situation. you could also try serving this up via DB queries/webservices or something from another db or table with a read only address.


    Tuesday, February 23, 2010 4:11 PM
  • Yes, partially, but you'd still have to make them members of sms admins to give them access to the sms provider, so the area of attack would increase a lot.
    Tuesday, February 23, 2010 4:12 PM