I manage a ~1400 machine ConfigMgr 2012 R2 site. We have recently started to delegate access to various groups and I've run into a problem
Each of the groups is given a top level group (based out of all Systems). Since we don't want to allow these various groups to do things to all systems, their permissions are scoped to these top level groups. Currently, all of these top level groups are populated by machine name prefixes. The problem is that one group we are bringing in does not have any sort of common naming scheme. I have no authority to get this group to use a naming scheme that would allow their machines to be dumped into the appropriate collection. This group would like to use ConfigMgr to image bare-metal machines. The normal process for all other groups is they import the machine (name+MAC) into ConfigMgr and the machines populates into collections they control. They can then assign a task sequence to these machines and go on their merry way. Since their machines do not follow any normal naming scheme, we don't have a good way to get them into a collection they control. How do we get them into a collection without giving them access to All Systems? In 2007, this was doable, if a bit convoluted. The machines would be manually imported. We enabled Active Directory System Group Discovery, which would find the OUs these machines are in. We would then make collections based on OU membership. Unfortunately, this feature was rolled into Active Directory System (or Group) discovery, and works in a different way now. Discovery will find the machines in the domain, but now makes a new record with the same name. This record has no MAC address though, so the machine doesn't associate itself with the record when booted. Anyone have any thoughts on how I should approach this? Jesse Schauer Windows Server Administrator II University of Idaho ITS
