locked
Rights Required to Publish to AD RRS feed

  • Question

  • What specific rights are required in Active Directory for SCCM to successfully publish?  The site server computer account has Full Control permissions to the System Management container and all descendant objects, but is unable to publish to AD.  If I give a service account Domain Admin permissions, publishing works successfully.  Keeping the service account as a Domain Admin is not an option for our environment, so where exactly does the SCCM need to write in AD besides the Systems Management container in order to publish?
    Thursday, November 7, 2013 3:48 PM

Answers

  • As I suspected, there are more rights required than what is called out in the TechNet article.  In addition to Full Control of the System Management container and all descendent objects, Read permissions on the System container are also required.  I have asked Microsoft Support to update the TechNet article with this information.

    I can somewhat understand why this isn't documented already since the default rights on a new domain give Authenticated Users Read permissions to the System container.  However, it would be far better for Microsoft to document the complete requirements instead of assuming people have the defaults.

    • Marked as answer by BrianG_WPSIC Friday, December 6, 2013 12:53 PM
    Friday, December 6, 2013 12:53 PM

All replies

  • Full control to this object and all descendant objects.

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Gerry HampsonMVP Thursday, November 7, 2013 4:13 PM
    • Unproposed as answer by BrianG_WPSIC Thursday, November 7, 2013 4:14 PM
    Thursday, November 7, 2013 4:05 PM
  • There has to be more than that.  As I mentioned, the site server computer account has Full Control permissions to the System Management container, but is unable to publish to AD.  I apparently failed to mention that its permissions also include all descendant objects.
    Thursday, November 7, 2013 4:07 PM
  • Nothing more than Torsten specified is required.


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Thursday, November 7, 2013 4:14 PM
  • That can't be true.  The site server computer account and a service account both have Full Control permissions to the System Management container and all descendant objects.  Neither of them are able to publish successfully.
    Thursday, November 7, 2013 4:15 PM
  • There's nothing more. Have you added permissions directly or via group membership? The latter would require a reboot of the server.
    Also see http://technet.microsoft.com/en-us/library/gg712264.aspx#BKMK_SetSMContainer if you don't believe me.
    How did you determine that there are permission issues at all?

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, November 7, 2013 4:19 PM
  • Permissions are given via group membership.  The server has been rebooted several times since the group and permissions were applied.  What led me to a permissions issue was the line in hman.log that says "Could not obtain Access to Active Directory, HRESULT=0x8007200A."  When I found that, I gave the service account Domain Admin permissions and had it try publishing again.  That time it succeeded where ten minutes before (without the Domain Admin permissions) it had failed.

    Since then, I removed the Domain Admin permissions.  It has tried publishing again, and failed with the same error.

    Thursday, November 7, 2013 4:22 PM
  • Since then, I removed the Domain Admin permissions.  It has tried publishing again, and failed with the same error.
    Thursday, November 7, 2013 4:25 PM
  • What you are describing is odd.

    1. Did you extend the schema in advance? (although theoretically it should work anyway but it's better to do this)

    2. How is your AD replication?



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson


    Thursday, November 7, 2013 4:33 PM
  • The schema has been extended for years.  We were on SCCM 2007 a few years ago and upgraded to 2012, then to 2012 SP1, and now I'm working on a new 2012 R2 server.  TechNet states you don't need to do anything with the schema to use 2012 if you extended it for 2007.

    AD replication is usually near-instant.  The group membership and permissions were applied over 24 hours ago.

    Thursday, November 7, 2013 4:43 PM
  • 0x8007200A = "The specified directory service attribute or value does not exist."

    Based on this and this article -- http://support.microsoft.com/kb/325053 (which is in no way specific to your issue but similar in nature) -- I'd say you have your AD locked down in some non-standard way and/or inheritance is disabled on the System Management container.


    Jason | http://blog.configmgrftw.com

    Thursday, November 7, 2013 5:35 PM
  • I've asked our Systems Engineer to make sure there isn't any broken inheritance within the container and will report back.
    Thursday, November 7, 2013 5:46 PM
  • Our Systems Engineer tells me the only subcontainer is inheriting permissions from System Management.
    Thursday, November 7, 2013 6:41 PM
  • can you check the effective permissions upon the CMobjects in the container?
    (maybe something odd has happened, e.g. inheritance is broken/removed on the objects)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, November 7, 2013 8:22 PM
  • Our Systems Engineer just spot-checked about 10 of the 30-or-so objects and all of them were inheriting permissions.
    Thursday, November 7, 2013 8:31 PM
  • Is there anywhere that I can see what exactly happens during publishing?  Meaning, how can I find out what objects it's trying to write to as it goes through the publishing process?
    Thursday, November 7, 2013 8:39 PM
  • Yes, in the logs -- just like everything else in ConfigMgr :-)

    hman.log to be specific.


    Jason | http://blog.configmgrftw.com

    Thursday, November 7, 2013 8:43 PM
  • That's the log I've been looking at, but it doesn't tell me what happened when it failed, just "Could not obtain Access to Active Directory, HRESULT=0x8007200A."  It doesn't tell me what container or object it was trying to access when it failed.
    Thursday, November 7, 2013 8:45 PM
  • I would recommend that I contact Microsoft Support (CSS) for this. Generally this is a "two second" task to set full control to this object and all descendant objects.

    There is no special permissions need outside of the one Torsten has already stated in the first post.

    My guess is that you are have some AD issues or something is locked down. CSS is the best team to deal with this issue.


    http://www.enhansoft.com/

    • Marked as answer by Joyce L Friday, December 6, 2013 9:32 AM
    • Unmarked as answer by BrianG_WPSIC Friday, December 6, 2013 12:50 PM
    Thursday, November 7, 2013 11:55 PM
  • As I suspected, there are more rights required than what is called out in the TechNet article.  In addition to Full Control of the System Management container and all descendent objects, Read permissions on the System container are also required.  I have asked Microsoft Support to update the TechNet article with this information.

    I can somewhat understand why this isn't documented already since the default rights on a new domain give Authenticated Users Read permissions to the System container.  However, it would be far better for Microsoft to document the complete requirements instead of assuming people have the defaults.

    • Marked as answer by BrianG_WPSIC Friday, December 6, 2013 12:53 PM
    Friday, December 6, 2013 12:53 PM
  • I can somewhat understand why this isn't documented already since the default rights on a new domain give Authenticated Users Read permissions to the System container.  However, it would be far better for Microsoft to document the complete requirements instead of assuming people have the defaults.

    So you must have changed the defaults. Not everything can be documented as you already mentioned, but glad the issue was solved now. Thanks for updating the post!

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, December 6, 2013 1:25 PM
  • I'm not sure we changed the defaults.  Our domain was created before any of the current IT staff were here and it was originally a Server 2000 domain.  I don't have the time or resources required to test, but it's possible the default permissions on the System container for Server 2000 and Server 2012 are different.  My "default rights" comment was based off a freshly-built Server 2012 DC in my lab.
    Friday, December 6, 2013 1:27 PM
  • But if you have Full control to the System Management container and all object below it, you automatically have Read permissions. So I'm not sure what is going on within your environment. 


    http://www.enhansoft.com/

    Friday, December 6, 2013 2:37 PM
  • You must have read that wrong.  The Read permissions on are the System container, not the System Management container.  System is the parent of System Management.
    Friday, December 6, 2013 2:38 PM
  • You must have read that wrong.  The Read permissions on are the System container, not the System Management container.  System is the parent of System Management.

    opps sorry about that I guess I need more coffee.

    http://www.enhansoft.com/

    Friday, December 6, 2013 2:53 PM