RhoSysAdmin
asked on
role based administration in SCCM 2012 - desktop only managers
I have what I know to be a popular question. We have a new SCCM 2012 server and wish to configure role based administration so the Service Desk can only manage the desktops and laptops.
I know I need a collection of "All Desktops" which I think is my "Limiting collection" - which I have.
They need to be able to add and remove computers from collections.
They need to be able to import new computers to SCCM.
Eventually, they'll need to be able to deploy new computers via OSD, but I have migrated the task sequences from SCCM 2007 yet.
In all the sample articles I see, they keep showing a very narrow scope when it comes to defining the security scope (a particular application for example). I want to grant the Service Desk fairly broad permissions for desktops and laptops. I don't want to get cute with it, or create anything that's hard to manage going forward.
Can anyone point me to an article that's already created this wheel?
I know I need a collection of "All Desktops" which I think is my "Limiting collection" - which I have.
They need to be able to add and remove computers from collections.
They need to be able to import new computers to SCCM.
Eventually, they'll need to be able to deploy new computers via OSD, but I have migrated the task sequences from SCCM 2007 yet.
In all the sample articles I see, they keep showing a very narrow scope when it comes to defining the security scope (a particular application for example). I want to grant the Service Desk fairly broad permissions for desktops and laptops. I don't want to get cute with it, or create anything that's hard to manage going forward.
Can anyone point me to an article that's already created this wheel?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I've definitely been on the right track. I found that article yesterday.
I created an "All Desktop and Laptop Clients" collection and assigned our "IT Service Desk" AD group a couple of custom roles with that as the target collection.
I created an "IT Service Desk" security scope and used it with the assignment of the custom roles. I just don't quite understand what the custom "security scope" layer gets me. We're a small company - one location, one site server that handles everything for SCCM. Maybe we're too small for it to be obvious to me?
I created an "All Desktop and Laptop Clients" collection and assigned our "IT Service Desk" AD group a couple of custom roles with that as the target collection.
I created an "IT Service Desk" security scope and used it with the assignment of the custom roles. I just don't quite understand what the custom "security scope" layer gets me. We're a small company - one location, one site server that handles everything for SCCM. Maybe we're too small for it to be obvious to me?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I understand what you're saying. I guess I didn't ask the question correctly. I don't quite understand how a custom security scope works. I don't quite see how creating custom roles that are assigned specific collections will have different result whether I use the default security scope of the custom one I create.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also check this
https://dynamicdatacenter.wordpress.com/2012/10/25/role_based_administration_computer_import_manager/