FIX Issues with SCCM RBAC Clear Required PXE Deployments Options. Clear Required PXE Deployments is a regularly used option in SCCM / ConfigMgr.
What I recently found is that Operating System Deployment Managers (default security role) are not able to perform the above-mentioned function by right-clicking on a device.
FIX Issues with SCCM RBAC Clear Required PXE Deployments Options
Full Administrators won’t face this issue. The clear PXE option is available in SP1 beta. I’m not able replicate this issue in Service Pack 1 version of ConfigMgr 2012.
The Clear Required PXE deployment option is available in the ribbon menu. However, this will clear the required PXE boot deployments of all the members assigned to this site in this collection.
The members NOT assigned to this site will not be affected. So basically, it’s collection based clear PXE deployments and we don’t normally use this option because it will clear the PXE for all the members of that collection.
I’ve done some analysis on this. Following are steps that you need to follow to get this option available for Operating System Deployment Managers or any other security roles.
1. The security role should have “Modify Resource” access on Collection. Collection –-> Modify Resource –> Yes.
Administrative User/s (for e.g Operating System Deployment Manager) should be part of “All Systems” and “All Users and User Groups” collections irrespective of Security Scopes.
Note :: If you remove any of those (above mentioned) collections from the administrative user then the option to clear the PXE will get removed. Providing modify access to “All Systems” and “All Users and User Groups” is not a good idea.
The work around for this issue is to create a separate collection for PXE clear devices. If you want to clear PXE advert of a device then move that device into that collection and then do “Clear Required PXE Deployments”. This collection would act as temporary holding place for the device/s which we need to clear PXE adverts. I know there is slightly more administrative work involved in this method. However, it better than providing “modify resource” access to all the systems and users.
No need for much worry, as I can see this issue is not there in System Center 2012 Configuration Manager SP1 version (beta).
To know more about other issues we normally face during RBA implementation and How to fine-tune RBA in your organization, you can go through my posts – Post 1 and FIX Default Client Settings Issue With SCCM Security Role Infra Admin HTMD Blog (anoopcnair.com)