+1 From: [email protected] [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, October 6, 2016 12:04 PM To: [email protected] Subject: RE: [mssms] Allowing staff to add computers to collection
I detest direct memberships. 1.) Don’t deploy to computers, deploy to users. 2.) Use AD groups in your queries not direct rules. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Adam Juelich Sent: Thursday, October 6, 2016 12:56 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Allowing staff to add computers to collection [External Email] Can't you utilize Role-Based Administration on a Security Group / Collection level? On Thu, Oct 6, 2016 at 12:23 PM, Murray, Mike <[email protected]<mailto:[email protected]>> wrote: CM2012. I’d like to allow certain staff members to add computers to a collection. I found this article: https://social.technet.microsoft.com/Forums/en-US/c9d7531c-c8e1-4b0f-ab95-5a9ec5207e41/sccm-2012-security-to-allow-users-to-add-resource-to-a-collection?forum=configmanagersecurity It says the below, which is confusing me. Can someone clear this up and let me know if this is a good idea? Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question. 1. Create a new collection that is a copy of your collection limiting collection mentioned above. 2. Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection. 3. Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection. 4. Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget to add your security scope. 5. Apply the changes and test - don't forget to restart the console of your test account. This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish. It does NOT allow modify on the limiting collection. And it separates the specific collections you tag as being modifiable by the specified group. Best Regards, Mike Murray Desktop Engineer/IT Consultant - IT Support Services California State University, Chico 530.898.4357<tel:530.898.4357> [email protected]<mailto:[email protected]> Remember, Chico State will NEVER ask you for your password via email! For more information about recognizing phishing scam emails go to: http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
