FIX Default Client Settings Issue with SCCM Security Role Infra Admin

26

In this post, I’ll provide few tips to resolve some common issues with build-in security role “Infrastructure Administrator” assignments in ConfigMgr 2012. More Details about Role-Based Administration hereInfra admins are not able to view “Default Client Settings” and couldn’t create “Custom Client Device Setting” or “Custom Client User Setting”. Yes, we can easily make out this could be because of some Security Scope issues. But how to rectify?

images (7)

Setup

I’ve two administrative groups (Infra Admin India and Infra Admin SGP) assigned to build in security role “Infrastructure Administrator”. One is for India admins and other is for Singapore admins.

They’ve access to their respective primary servers. I’ve created two scopes “India” and “Singapore”. These scopes are assigned to proper objects.

You can see the details of “Infra Admin India” administrative user from the following picture.

Security Role = Infrastructure Administrator

Security Scopes and Collections = All India Systems, All India User Collection and India

imageimage

Issue/Problem

1. “Infra Admin India” user is not able to create “Custom Client Device Setting” or “Custom Client User Setting”.

You do not have permission to ‘Site’ on CAS. Make sure you have proper permission to ’Site’ on CAS and ‘Site’ is associated with your security Scope.

image

2. “Infra Admin India” user is not able to view the “Default Client Setting”. Result panel shows “No Item Found”

image

Resolution

1. Open up ConfigMgr 2012 Console, Navigate through Administration –> Security –> Administrative Users –> Infra Admin India.

2. Right Click on “Infra Admin India” administrative User and click on Properties.

3. Go to second tab “Security Roles” and Click on “Add” button at the bottom to add new security role “Read Only Analyst”

image

4. Go to “Security Scopes” tab and Select the option called “Associate Assigned Security Roles with Specific Security Scopes and Collections”

image

5. Click on “Read-Only Analyst” security role and “Edit”

image

6. Removed the security Scope called “India”

image

7. Added security Scope called “Default”. Why? Will this give more rights to the Infra Admin India ? NO. It won’t because, we are allowing ONLY “Read-Only Analyst” access to “Infra Admin India” user. How we can do that associate “Read-Only Analyst” role with “Default” security Scope. Click OK button two times.

image

image

Results

Launch Console with “Infra Admin India”.

1. “Default Client Settings” is viewable

image

2. “Infra Admin India” don’t have access to EDIT “Default Client Settings”. All options are greyed out .

image

3.  “Infra Admin India” user can create “Custom Client Device Setting” and “Custom Client User Setting”

image

26 COMMENTS

  1. can’t see default client setting and can’t create local site (primary site) client settings. follow your configuration to add read-only analyst with default scope, when create client setting, error same with what you post “you do not have permission to ‘Site’ on CAS…”

    • I hope, you’ve added two security roles 1) Infrastructure Administrator and 2) ReadOnly Analyst assigned to administrator user. Also, read only analyst should be assigned with default security scope or whichever scope has global admin access. Are you sure about collections also assigned to readonly analyst as well?

      • yes, i configured it exactly following your steps. A user with Infra admin/read-only analyst roles, Infra admin is configured with local site security group and Read-only Analyst is configured with default security scope. Both roles are assigned to local site computers/ users collections.
        my global admin scope is using “All instance of the objects that are related to the assigned security roles”. I can’t assign same security scope, as it will give this user permission to view other site objects.

      • OK, try one think. can you list down the combination of Security Role, Security scope and collections used for each scenario?

        For example = Readonly Analyst + Default + Local Collections
        Infrastructure administrator + Security Scope + Local collections

  2. Infrastructure administrator + AU Security Scope + AU Computers + AU Users
    Read-only Analyst + Default + AU Computers + AU Users

    Mine is CAS + multiple PRI site hierarchy

    • For testing purpose, try using this combination : Infrastructure administrator + Default + AU Computers + AU Users ..Just wanted to check default security scope has correct permissions.

  3. Infrastructure administrator + Default + AU Security Scope + AU Computers + AU Users
    Read-only Analyst + Default + AU Computers + AU Users

    problem persist. If remove Read-only Analyst, issue persist

    • So I think, “Default” security scope doesn’t have proper access. Can you confirm is there any other security scope which has more access than default security scope?

  4. how to check?
    I currently has another default one – “All” which is definitely has more access than default I think.
    as I mentioned, my global admin is using “All instance of the objects that are related to the assigned security roles”.

      • No no…there is only one default security scope.

        Site Configurations –>Sites –> Select CAS or PSS –> click on Set security scope -> check and confirm default is the security scope selected over there.

      • nope, none of them are configured as default security scope. Primary is under AU security scope, CAS is under Singapore security scope.

      • ok, there lies the problem. You should assign all sites to default or better to create global scope called “global”. And assign all sites to that security scope. Then follow my solution that will work.

      • But WDS will only move PXE boot computer to “All Unknown Computers” collection, how do you configure them go to your local site “AU Unknown Computers” collection?

      • logically, it doesn’t make sense but it works for me. Thanks so much Anoop, really appreciate for your time. I believed the issue is due to CAS/PRI under different security scope with my current setting, since my local CM admin can only assign to local security scope, permission to CAS lost, hence cause creating client setting failed. Wish a improvement in next CU or SP.

  5. Anoop, not sure if you encountered same issue. If I assign “All Unknown Computers” collection to the same account, I can view all other sites’ unknown computers. This will give me trouble when OSD.

    • We don’t use that way. We add respective site Unknown computers to their respective collection. For example AU site unknown computers will be part of “AU Computers”.

  6. Hi Anoop,

    I have an issue, where i am not able to create New Collections. When i am right click i should get some options that allow me to create New Collection. but when i right click i am not getting anything.
    As per smsprov.log ” ” CExtUserContext::EnterThread : User=domain\sccmadmin Sid=0x01050000000000051500000083D78B800362F97C0354132856040000 Caching IWbemContextPtr=00000046BFB1F5A0 in Process 0x3a2c (14892) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: SMSAppName=Configuration Manager Administrator console SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: MachineName=sccmserver.domain.com SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: UserName=domain\sccmadmin SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ObjectLockContext=6555f6ea-faf6-4b14-b0fe-5e50b6147835 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ApplicationName=Microsoft.ConfigurationManagement.exe SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ApplicationVersion=5.0.7804.1000 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: LocaleID=MS\0x409 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: ReturnAll=1 (Bool) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: InstanceCount=1001 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __ProviderArchitecture=32 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __RequiredArchitecture=0 (Bool) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __ClientPreferredLanguages=en-US,en SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __CorrelationId={95BB62E8-DB82-0002-8FB4-C69582DBD001} SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Context: __GroupOperationId=6933552 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CExtUserContext : Set ThreadLocaleID OK to: 1033 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CSspClassManager::PreCallAction, dbname=CM_AWS SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    ExecQueryAsync: START SELECT * FROM SMS_SCI_Reserved WHERE (SiteCode=’AWS’ OR SiteCode IN (SELECT child.SiteCode FROM SMS_Site AS child INNER JOIN SMS_Site AS parent ON parent.SiteCode = child.ReportingSiteCode WHERE parent.ReportingSiteCode = ‘AWS’ OR child.ReportingSiteCode=’AWS’)) OR Availability=1 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Adding Handle -1110712920 to async call map SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CExtProviderClassObject::DoCreateInstanceEnumAsync (SMS_Query) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CSspQueryForObject :: Execute… SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Execute WQL =SELECT * FROM SMS_SCI_Reserved WHERE (SiteCode=’AWS’ OR SiteCode IN (SELECT child.SiteCode FROM SMS_Site AS child INNER JOIN SMS_Site AS parent ON parent.SiteCode = child.ReportingSiteCode WHERE parent.ReportingSiteCode = ‘AWS’ OR child.ReportingSiteCode=’AWS’)) OR Availability=1 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Execute SQL =select all SMS_SCI_Reserved.AccountUsage,SMS_SCI_Reserved.Availability,SMS_SCI_Reserved.FileType,SMS_SCI_Reserved.Flag,SMS_SCI_Reserved.ItemName,SMS_SCI_Reserved.ItemType,SMS_SCI_Reserved.PropLists,SMS_SCI_Reserved.Props,SMS_SCI_Reserved.Reserved2,SMS_SCI_Reserved.ServerName,SMS_SCI_Reserved.SiteCode,SMS_SCI_Reserved.UserName from vSMS_SC_Reserved_SDK AS SMS_SCI_Reserved where ((SMS_SCI_Reserved.SiteCode = N’AWS’ OR SMS_SCI_Reserved.SiteCode in (select all child.SiteCode from vSites AS child INNER JOIN vSites AS parent ON parent.SiteCode = child.ReportToSite where (parent.ReportToSite = N’AWS’ OR child.ReportToSite = N’AWS’))) OR SMS_SCI_Reserved.Availability = 1) SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Results returned : 3 of 4 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    Removing Handle -1110712920 from async call map SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    ExecQueryAsync: COMPLETE SELECT * FROM SMS_SCI_Reserved WHERE (SiteCode=’AWS’ OR SiteCode IN (SELECT child.SiteCode FROM SMS_Site AS child INNER JOIN SMS_Site AS parent ON parent.SiteCode = child.ReportingSiteCode WHERE parent.ReportingSiteCode = ‘AWS’ OR child.ReportingSiteCode=’AWS’)) OR Availability=1 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    CExtUserContext::LeaveThread : Releasing IWbemContextPtr=-1078856288 SMS Provider 9/23/2015 8:53:30 AM 18248 (0x4748)
    ” “. Please suggest

  7. Hi Anoop,

    Thanks for the post.

    Currently, we are deploying a primary site to our new business unit and adding it to our existing SCCM 2012 environment. However, we would like to limit user access rights to that specific site. In nutshell, we don’t want administrators of newly created primary site to access CAS resources or other resources which are created on different primary sites. Administrators should be able to access local primary site resources only. Is there any design guidance or Microsoft best practice around this ?

    any advise will be great help.

    Thank you

  8. Hi Anoop, currently I am facing following issue:

    Setup:

    I have administrative users group “PR-Admins” with following settings:

    full administrator + PR security scope + collection
    read-only analyst + default security scope

    default security scope applied to PR and CAS. “PR” security scope only applied to primary site

    Issue:

    users from “PR-Admins” group unable to login on CAS using remote console. “PR-Admins” group is part of SMS_admin and has correct DCOM and WMI permissions

  9. Hi Anoop,

    Thank you. I did follow RBA tool to define permission for different user groups. However, I am facing following issue:

    Setup:
    Added “PR-Admins” group and administrative users
    Full administrators + PR security scope + PR collection
    Read only analyst + default security scope
    Default security scope has been assigned to CAS and PR. “PR” security scope has been assigned to Primary site

    Issue:
    Users from “PR-admins” groups, unable to connect to CAS using remote console. I can confirm that “PR-Admins” group is part of SMS_Admin and has WMI, DCOM permissions.

    Thank you

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.