In this post, I’ll provide a few tips to resolve some common issues with build-in security role “Infrastructure Administrator” assignments in ConfigMgr 2012.
More Details about Role-Based Administration are here. Infra admins are not able to view “Default Client Settings” and couldn’t create “Custom Client Device Setting” or “Custom Client User Setting.”
FIX SCCM Default Client Settings Issue with SCCM Security Role Infra Admin ConfigMgr
Yes, we can easily make out this could be because of some Security Scope issues. But how to rectify?
I’ve two administrative groups (Infra Admin India and Infra Admin SGP) assigned to build in security role “Infrastructure Administrator.” One is for India admins, and the other is for Singapore admins.
They’ve access to their respective primary servers. I’ve created two scopes, “India” and “Singapore”. These scopes are assigned to proper objects.
You can see the details of the “Infra Admin India” administrative user from the following picture.
Security Role = Infrastructure Administrator
Security Scopes and Collections = All India Systems, All India User Collection, and India
1. “Infra Admin India” user is not able to create “Custom Client Device Setting” or “Custom Client User Setting”.
You do not have permission to ‘Site’ on CAS. Make sure you have proper permission to ’Site’ on CAS and ‘Site’ is associated with your security Scope.
2. “Infra Admin India” user is not able to view the “Default Client Setting”. The Result panel shows “No Item Found”
1. Open up ConfigMgr 2012 Console, Navigate through Administration –> Security –> Administrative Users –> Infra Admin India.
2. Right Click on the “Infra Admin India” administrative User and click on Properties.
3. Go to the second tab “Security Roles” and click on “Add” button at the bottom to add the new security role “Read Only Analyst”
4. Go to the “Security Scopes” tab and select the option called “Associate Assigned Security Roles with Specific Security Scopes and Collections”
5. Click on the “Read-Only Analyst” security role and “Edit”
6. Removed the security Scope called “India”
7. Added security Scope called “Default”. Why? Will this give more rights to the Infra Admin India? NO. It won’t because we are allowing ONLY “Read-Only Analyst” access to the “Infra Admin India” users. How we can do associate the “Read-Only Analyst” role with the “Default” security Scope. Click the OK button two times.
Launch Console with “Infra Admin India”.
1. “Default Client Settings” is viewable
2. “Infra Admin India” doesn’t have access to EDIT “Default Client Settings”. All options are greyed out.
3. “Infra Admin India” user can create “Custom Client Device Setting” and “Custom Client User Setting”
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…