Setting up a Role in SMS for Specific Collections

SMS Rights are a pain to work with. (don't think so? Well then stop reading!) For instance, Giving a user or group rights for specific collections, becomes a tricky situation (I say this because rights are not inherited, so when you try to create roles with less than super admin access, it gets sticky.

Role for a specific collection, or set of collections.

Assign class rights for the following: Advertise, Create, Manage Folders, and Delegate.

Assign the following instance rights for the collections you wish the role to have access to: Read, Modify, Delete. (Each collection, and one of those collections must contain some computers!)

If you do this with a hierarchy for example, you would have the top level collection with the computers which the role can manage. Then anyone in that role can manage only that collection of computers. Every time they make a new collection, they will be forced to limit their query to that top level collection with the computers in it.

If necessary, remove the users instance rights for other collections.

Any collection which they can see, they can advertise to.

The user who creates a collection, must use their delegate right to grant rights to others in the role.

About the Author

Emmanuel Tsouris is a Systems Management veteran and Developer Advocate specializing in PowerShell and Cloud Automation. He maintains DotVBS to preserve legacy knowledge for the "archaeologist admin."

Ready to move from VBScript to the Cloud? Check out his book, Pro PowerShell for Amazon Web Services.

Visit EmmanuelTsouris.com for his latest projects.

As an Amazon Associate, I earn from qualifying purchases at no cost to you.

Comments

Post a Comment

Popular posts from this blog

SMS "Program failed (run time exceeded)" 10070

When a program fails due to error 10070, it does so because the Run Time was Exceeded. SMS Allows a program to run for 12 hours, afterwhich it will issue the failed status message if the program hasn't completed successfully. Note: The Maximum allowed run time within program properties is generally a guide for users running the program themselves, and is not enforced. About the Author Emmanuel Tsouris is a Systems Management veteran and Developer Advocate specializing in PowerShell and Cloud Automation. He maintains DotVBS to preserve legacy knowledge for the "archaeologist admin." Ready to move from VBScript to the Cloud? Check out his book, Pro PowerShell for Amazon Web Services . Visit EmmanuelTsouris.com for his latest projects. As an Amazon Associate, I earn from...
Read more

SMS "Waiting for User Condition" 10036

Status Message ID 10036, or "Waiting for User Condition" can occasionally grind advertisements to a halt. Make sure the environment and user condition settings for a particular program have been configured appropriately and are not excluding a large portion of your intended audience. Related Articles SMS WQL for All Clients where Last Status is Waiting for User Condition SMS Status Message ID's About the Author Emmanuel Tsouris is a Systems Management veteran and Developer Advocate specializing in PowerShell and Cloud Automation. He maintains DotVBS to preserve legacy knowledge for the "archaeologist admin." Ready to move from VBScript to the Cloud? Check out his book, Pro PowerShell for Amazon Web Services . Visit EmmanuelTsouris.com for his latest projects. ...
Read more

Reading the SCCM Client GUID

Recently I encountered an issue with the SCCM client GUID missing from the  %windir%\SMSCFG.INI file. We wanted to write a script to put the GUID back, so I was asked how to read the SCCM Client GUID from a script or command line. VBScript: Set objWMIService = GetObject("winmgmts:\\.\root\ccm") Set colItems = objWMIService.ExecQuery("Select ClientID From CCM_Client") For Each objItem in colItems Wscript.Echo "Client ID" & objItem.ClientID Next WMIC via commandline: wmic /namespace:\\root\ccm path ccm_client get clientid PowerShell: Get-WMIObject -namespace root\ccm ccm_client clientid | Select-Object clientid Suggested Reading: MSDN Article on How to Get the Unique Identifier Value for a Client (Includes Code Snippets) MSDN Article on Using the Get-WMiObject Cmdlet About the Author Emmanuel Tsouris is a Systems Management veteran and Dev...
Read more