I agree, use AD security group memberships for users and computers. We use a naming convention that helps our Service Desk understand which AD object to put into the security group:
- CM-U-AppNamevN.NN is a security group for just usernames that will be targeted with a deployment - CM-C-AppNamevN.NN is a security group for just computer names that will be targeted with a deployment Service Desk techs don’t need the SCCM Admin Console. In fact, since they are a mostly in the AD Users & Computers anyhow, the security AD groups work quite well for us. Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix From: [email protected] [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, October 6, 2016 1:29 PM To: '[email protected]' <[email protected]> Subject: RE: [mssms] Allowing staff to add computers to collection Fair enough. Still use an AD group. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Murray, Mike Sent: Thursday, October 6, 2016 1:51 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Allowing staff to add computers to collection This is for BitLocker deployment, so user is not an option. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, October 6, 2016 11:04 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Allowing staff to add computers to collection I detest direct memberships. 1.) Don’t deploy to computers, deploy to users. 2.) Use AD groups in your queries not direct rules. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Adam Juelich Sent: Thursday, October 6, 2016 12:56 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Allowing staff to add computers to collection [External Email] Can't you utilize Role-Based Administration on a Security Group / Collection level? On Thu, Oct 6, 2016 at 12:23 PM, Murray, Mike <[email protected]<mailto:[email protected]>> wrote: CM2012. I’d like to allow certain staff members to add computers to a collection. I found this article: https://social.technet.microsoft.com/Forums/en-US/c9d7531c-c8e1-4b0f-ab95-5a9ec5207e41/sccm-2012-security-to-allow-users-to-add-resource-to-a-collection?forum=configmanagersecurity It says the below, which is confusing me. Can someone clear this up and let me know if this is a good idea? Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question. 1. Create a new collection that is a copy of your collection limiting collection mentioned above. 2. Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection. 3. Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection. 4. Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget to add your security scope. 5. Apply the changes and test - don't forget to restart the console of your test account. This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish. It does NOT allow modify on the limiting collection. And it separates the specific collections you tag as being modifiable by the specified group. Best Regards, Mike Murray Desktop Engineer/IT Consultant - IT Support Services California State University, Chico 530.898.4357<tel:530.898.4357> [email protected]<mailto:[email protected]> Remember, Chico State will NEVER ask you for your password via email! For more information about recognizing phishing scam emails go to: http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.
