locked
Viewing / Controlling Security Scopes on Collections via PowerShell RRS feed

  • Question

  • We are tidying up SCCM and I am coming across a lot of collections that I cannot delete as I get "This collection cannot be deleted. It is assigned as scope to another user".

    I can drill down and find the group/user under Administrative Users and remove the collection from the list but this is a particularly laborious task especially when you have to go through more than one and I cant see a "birds eye" view of all the users it is assigned as scope to. 

    Can anyone suggest an easier way of removing the assigned scope (or even just identifying it) so I know exactly where to look when I get the notice it cant be deleted instead of trawling through massive lists.

    Thursday, May 5, 2016 3:34 PM

Answers

  • Dear Sir,

    You can get a collection assigned as security scope to a user by querying WMI, see below PowerShell Script. It returns all users which have the collection as security scope. (Replace collection name and sitecode)

    $cmdletLocaltion = 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
    $collectionName = 'Win10'

    Import-Module $cmdletLocaltion
    cd CLT:

    (Get-WmiObject -Namespace ROOT\SMS\SITE_CLT -Class sms_admin | where {$_.CollectionNames -like $collectionName}).LogonName

    You can even add some other lines to make it easier for you.

    Best regards

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    • Edited by Frank Dong Friday, May 6, 2016 12:02 PM
    • Marked as answer by Frank Dong Tuesday, June 7, 2016 12:26 AM
    Friday, May 6, 2016 12:01 PM

All replies

  • I don't know if there's any other way to do this today, although it lends itself to PowerShell nicely. You should file an item on UserVoice for managing scopes using PowerShell.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, May 5, 2016 10:50 PM
  • Dear Sir,

    You can get a collection assigned as security scope to a user by querying WMI, see below PowerShell Script. It returns all users which have the collection as security scope. (Replace collection name and sitecode)

    $cmdletLocaltion = 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
    $collectionName = 'Win10'

    Import-Module $cmdletLocaltion
    cd CLT:

    (Get-WmiObject -Namespace ROOT\SMS\SITE_CLT -Class sms_admin | where {$_.CollectionNames -like $collectionName}).LogonName

    You can even add some other lines to make it easier for you.

    Best regards

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    • Edited by Frank Dong Friday, May 6, 2016 12:02 PM
    • Marked as answer by Frank Dong Tuesday, June 7, 2016 12:26 AM
    Friday, May 6, 2016 12:01 PM
  • Indeed!
    Monday, May 23, 2016 4:13 PM
  • Thanks Frank, this looks like it could do the job.
    Monday, May 23, 2016 4:13 PM