FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr

Let’s discuss the FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr. In this post, I’ll provide a few tips on resolving some common issues with the built-in security role Infrastructure Administrator assignments in ConfigMgr 2012. 

Configuration Manager has a set of default settings. Modifying the default client settings affects all clients in the hierarchy.

You can also organize custom client settings, which control the default client settings when you assign them to collections.

Infra admins cannot view Default Client Settings and cannot create Custom Client Device Settings or Custom Client User Settings.

Patch My PC
[sibwp_form id=2]

FIX SCCM Default Client Settings Issue with SCCM Security Role Infra Admin

Yes, we can easily conclude that this could be due to some Security Scope issues. But how can we rectify this?

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.1
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.1

Setup

I’ve two administrative groups (Infra Admin India and Infra Admin SGP) assigned to build in the security role of Infrastructure Administrator. One is for India admins, and the other is for Singapore admins.

They have access to their respective primary servers. I’ve created two scopes, “India” and “Singapore,” which are assigned to proper objects.

The following picture shows the details of the “Infra Admin India” administrative user.

Adaptiva

Security Role = Infrastructure Administrator

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.2
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.2

Security Scopes and Collections = All India Systems, All India User Collection, and India

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.3
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.3

Issue/Problem

1. Infra Admin India users cannot create Custom Client Device Setting or Custom Client User Setting.

You do not have permission to ‘Site’ on CAS. Ensure you have proper permission to ’Site’ on CAS and ‘Site’ is associated with your security Scope.

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.4
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.4

2. The “Infra Admin India” user cannot view the Default Client Setting. The Result panel shows “No Item Found”

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.5
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.5

Resolution

  • Open up ConfigMgr 2012 Console and navigate through Administration –> Security –> Administrative Users –> Infra Admin India.
  • Right-click on the “Infra Admin India” administrative User and click on Properties.
  • Go to the second tab, “Security Roles”, and click on the “Add” button at the bottom to add the new security role “Read Only Analyst”
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.6
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.6

4. Go to the Security Scopes tab and select the option called “Associate Assigned Security Roles with Specific Security Scopes and Collections”

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.7
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.7

5. Click on the Read-Only Analyst security role and Edit

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.8
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.8

6. Removed the security Scope called “India”

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.9
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.9

7. We have added a security Scope called Default. Why? Will this give more rights to the Infra Admin India? NO. It won’t because we are allowing ONLY “Read-Only Analyst” access to the “Infra Admin India” users. How can we associate the “Read-Only Analyst” role with the “Default” security Scope? Click the OK button two times.

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.10
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.10
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.11
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.11

Results

Launch Console with “Infra Admin India”.

1. Default Client Settings is viewable

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.12
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.12

2. Infra Admin India doesn’t have access to EDIT “Default Client Settings”. All options are greyed out.

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.13
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.13

3.  “Infra Admin India” user can create Custom Client Device Setting and Custom Client User Setting

FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr - Fig.14
FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr – Fig.14

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and leader of the Local User Group Community. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc..

27 thoughts on “FIX SCCM Default Client Settings Issue with Security Role Infra Admin ConfigMgr”

  1. can’t see default client setting and can’t create local site (primary site) client settings. follow your configuration to add read-only analyst with default scope, when create client setting, error same with what you post “you do not have permission to ‘Site’ on CAS…”

    Reply
    • I hope, you’ve added two security roles 1) Infrastructure Administrator and 2) ReadOnly Analyst assigned to administrator user. Also, read only analyst should be assigned with default security scope or whichever scope has global admin access. Are you sure about collections also assigned to readonly analyst as well?

      Reply
      • yes, i configured it exactly following your steps. A user with Infra admin/read-only analyst roles, Infra admin is configured with local site security group and Read-only Analyst is configured with default security scope. Both roles are assigned to local site computers/ users collections.
        my global admin scope is using “All instance of the objects that are related to the assigned security roles”. I can’t assign same security scope, as it will give this user permission to view other site objects.

      • OK, try one think. can you list down the combination of Security Role, Security scope and collections used for each scenario?

        For example = Readonly Analyst + Default + Local Collections
        Infrastructure administrator + Security Scope + Local collections

  2. Infrastructure administrator + AU Security Scope + AU Computers + AU Users
    Read-only Analyst + Default + AU Computers + AU Users

    Mine is CAS + multiple PRI site hierarchy

    Reply
    • For testing purpose, try using this combination : Infrastructure administrator + Default + AU Computers + AU Users ..Just wanted to check default security scope has correct permissions.

      Reply
  3. Infrastructure administrator + Default + AU Security Scope + AU Computers + AU Users
    Read-only Analyst + Default + AU Computers + AU Users

    problem persist. If remove Read-only Analyst, issue persist

    Reply
    • So I think, “Default” security scope doesn’t have proper access. Can you confirm is there any other security scope which has more access than default security scope?

      Reply
  4. how to check?
    I currently has another default one – “All” which is definitely has more access than default I think.
    as I mentioned, my global admin is using “All instance of the objects that are related to the assigned security roles”.

    Reply
      • No no…there is only one default security scope.

        Site Configurations –>Sites –> Select CAS or PSS –> click on Set security scope -> check and confirm default is the security scope selected over there.

      • nope, none of them are configured as default security scope. Primary is under AU security scope, CAS is under Singapore security scope.

      • ok, there lies the problem. You should assign all sites to default or better to create global scope called “global”. And assign all sites to that security scope. Then follow my solution that will work.

      • But WDS will only move PXE boot computer to “All Unknown Computers” collection, how do you configure them go to your local site “AU Unknown Computers” collection?

      • logically, it doesn’t make sense but it works for me. Thanks so much Anoop, really appreciate for your time. I believed the issue is due to CAS/PRI under different security scope with my current setting, since my local CM admin can only assign to local security scope, permission to CAS lost, hence cause creating client setting failed. Wish a improvement in next CU or SP.

  5. Anoop, not sure if you encountered same issue. If I assign “All Unknown Computers” collection to the same account, I can view all other sites’ unknown computers. This will give me trouble when OSD.

    Reply
    • We don’t use that way. We add respective site Unknown computers to their respective collection. For example AU site unknown computers will be part of “AU Computers”.

      Reply
  6. Hi Anoop,

    I have an issue, where i am not able to create New Collections. When i am right click i should get some options that allow me to create New Collection. but when i right click i am not getting anything.
    As per smsprov.log ” ” CExtUserContext::EnterThread : User=domain\sccmadmin Sid=0x01050000000000051500000083D78B800362F97C0354132856040000 Caching IWbemContextPtr=00000046BFB1F5A0 in Process 0x3a2c (14892) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: SMSAppName=Configuration Manager Administrator console SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: MachineName=sccmserver.domain.com SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: UserName=domain\sccmadmin SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ObjectLockContext=6555f6ea-faf6-4b14-b0fe-5e50b6147835 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ApplicationName=Microsoft.ConfigurationManagement.exe SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ApplicationVersion=5.0.7804.1000 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: LocaleID=MS\0x409 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ReturnAll=1 (Bool) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: InstanceCount=1001 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __ProviderArchitecture=32 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __RequiredArchitecture=0 (Bool) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __ClientPreferredLanguages=en-US,en SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __CorrelationId={95BB62E8-DB82-0002-8FB4-C69582DBD001} SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __GroupOperationId=6933552 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CExtUserContext : Set ThreadLocaleID OK to: 1033 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CSspClassManager::PreCallAction, dbname=CM_AWS SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    ExecQueryAsync: START SELECT * FROM SMS_SCI_Reserved WHERE (SiteCode=’AWS’ OR SiteCode IN (SELECT child.SiteCode FROM SMS_Site AS child INNER JOIN SMS_Site AS parent ON parent.SiteCode = child.ReportingSiteCode WHERE parent.ReportingSiteCode = ‘AWS’ OR child.ReportingSiteCode=’AWS’)) OR Availability=1 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Adding Handle -1110712920 to async call map SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CExtProviderClassObject::DoCreateInstanceEnumAsync (SMS_Query) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CSspQueryForObject :: Execute… SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Execute WQL =SELECT * FROM SMS_SCI_Reserved WHERE (SiteCode=’AWS’ OR SiteCode IN (SELECT child.SiteCode FROM SMS_Site AS child INNER JOIN SMS_Site AS parent ON parent.SiteCode = child.ReportingSiteCode WHERE parent.ReportingSiteCode = ‘AWS’ OR child.ReportingSiteCode=’AWS’)) OR Availability=1 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Execute SQL =select all SMS_SCI_Reserved.AccountUsage,SMS_SCI_Reserved.Availability,SMS_SCI_Reserved.FileType,SMS_SCI_Reserved.Flag,SMS_SCI_Reserved.ItemName,SMS_SCI_Reserved.ItemType,SMS_SCI_Reserved.PropLists,SMS_SCI_Reserved.Props,SMS_SCI_Reserved.Reserved2,SMS_SCI_Reserved.ServerName,SMS_SCI_Reserved.SiteCode,SMS_SCI_Reserved.UserName from vSMS_SC_Reserved_SDK AS SMS_SCI_Reserved where ((SMS_SCI_Reserved.SiteCode = N’AWS’ OR SMS_SCI_Reserved.SiteCode in (select all child.SiteCode from vSites AS child INNER JOIN vSites AS parent ON parent.SiteCode = child.ReportToSite where (parent.ReportToSite = N’AWS’ OR child.ReportToSite = N’AWS’))) OR SMS_SCI_Reserved.Availability = 1) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Results returned : 3 of 4 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Removing Handle -1110712920 from async call map SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    ExecQueryAsync: COMPLETE SELECT * FROM SMS_SCI_Reserved WHERE (SiteCode=’AWS’ OR SiteCode IN (SELECT child.SiteCode FROM SMS_Site AS child INNER JOIN SMS_Site AS parent ON parent.SiteCode = child.ReportingSiteCode WHERE parent.ReportingSiteCode = ‘AWS’ OR child.ReportingSiteCode=’AWS’)) OR Availability=1 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CExtUserContext::LeaveThread : Releasing IWbemContextPtr=-1078856288 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    ” “. Please suggest

    Reply
  7. Hi Anoop,

    Thanks for the post.

    Currently, we are deploying a primary site to our new business unit and adding it to our existing SCCM 2012 environment. However, we would like to limit user access rights to that specific site. In nutshell, we don’t want administrators of newly created primary site to access CAS resources or other resources which are created on different primary sites. Administrators should be able to access local primary site resources only. Is there any design guidance or Microsoft best practice around this ?

    any advise will be great help.

    Thank you

    Reply
  8. Hi Anoop, currently I am facing following issue:

    Setup:

    I have administrative users group “PR-Admins” with following settings:

    full administrator + PR security scope + collection
    read-only analyst + default security scope

    default security scope applied to PR and CAS. “PR” security scope only applied to primary site

    Issue:

    users from “PR-Admins” group unable to login on CAS using remote console. “PR-Admins” group is part of SMS_admin and has correct DCOM and WMI permissions

    Reply
  9. Hi Anoop,

    Thank you. I did follow RBA tool to define permission for different user groups. However, I am facing following issue:

    Setup:
    Added “PR-Admins” group and administrative users
    Full administrators + PR security scope + PR collection
    Read only analyst + default security scope
    Default security scope has been assigned to CAS and PR. “PR” security scope has been assigned to Primary site

    Issue:
    Users from “PR-admins” groups, unable to connect to CAS using remote console. I can confirm that “PR-Admins” group is part of SMS_Admin and has WMI, DCOM permissions.

    Thank you

    Reply
  10. Hi Anoop,

    Is there any possibilities to add sccmclient fix as a package to be added in the Software center Custom tabs ?
    If Yes, can we add the path of the repair sccm client fix agent to that and made it visible to all users in software center ?
    If we can add that with the name called Software center Loading Fix , users can install that as a application so user may not reach for software loading issues to be addressed manually.Am in search of idea to implement.Am i Right or its a foolish idea ?any suggestions to route me into the right path.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.