Let’s learn how to Create System Management Container & provide full control permissions. System Management is the container in the Active Directory to manage devices using ConfigMgr | SCCM.
NOTE! – You need to Extend Active Directory Schema before creating system management container.
TL;DR
System Management Container
ConfigMgr uses System management container to publish Management Point & Boundary details. ConfigMgr clients connect & query system management container to select the best MP available.
NOTE! – More details about Publishing site data for SCCM.
Prerequisite
- Login with user permission to Create All Child Objects permission on the System container for each domains. More details here.
- Create this container one time in each domain that has a primary or secondary site server that will publish data to Active Directory.
- Grant FULL Control permissions to the computer account of each primary and secondary site server
Create System Management Container
Let’s see how to create system management container.
- Run ADSI Edit (adsiedit.msc)
- Right Click on ADSI Edit node from MMC console and click on Connect to…
- Enter the site server’s Domain or Domain server details – Select or type a domain or server: (Server | Domain [:port])
- Click OK
- Expand Domain -> expand
- Right-click CN=System
- Select New, and then choose Object
- In the Create Object dialog box, choose Container, and then choose Next
- In the Value box, enter System Management, and then choose Next to continue
- Click on Finish button
Assign Permission
You have created the System Management container. Now let’s assign permissions to primary and secondary server computer accounts.
- Right-click CN=System Management, and then choose Properties
- Select the Security tab from System Management Properties
- Click on Add button
- Enter the site server computer account in the box below “Enter the object names to select“
- Click on Object Types
- Select Computers and Click OK
- Click on OK to continue with selection
- Select on the Site System Computer account
- Select the Full Control permission
- Repeat this step for all the site server in this domain
- Click on Advanced button
- Select the site server’s computer account
- Select Edit button
- Select drop down option called “This object and all descendant objects” from Applies to option
- Click OK to continue
- Click OK & OK to finish
Results
Now you have created System Management container and provided full control permission to site system servers.
Hi, Anoop,
One question: we have in our company a primary SCCM site, and we are going to create another one in parallel, to migrate from the old to the new, different name of site, we have problems with the S.O etc, would there be any problem in adding the new server in the container, along with the other one? with the same permissions.
Thank you very much for your help!
No I don’t think so.. it should be fine. You just need to make sure there is no conflict with the boundaries