MECM 2002. RBAC. Export and Import Access Level along with Scope.
I have been assigned to restrict all the activities in the SCCM Console for certain period and move the full SCCM Infrastructure to Freeze. No one should be able to deploy anything, Should not be creating application or package, Cann’t distribute anything to any DP.
I have done a lot of homework for this task and found 2 possible ways to achieve it.
- Change the client settings. Change software update on client option to NO. Screenshot given below:That way clients will not receive anything. Bit risky because if policy broken then client may not apply these settings and ultimately it will fail the whole purpose itself. Again you need to change the setting to Yes so every client can receive deployments.
- RBAC :- Well Known.
Now the challenge starts. If we use RBAC then we need to do a lot of modifications into roles and endup breaking access to SCCM Console users. Also this will be manual task and every time before the freeze i need to do it.
So i want to do it in this way.
- Export all users rights as well as access level. Remove them.
- Import the same back and replicate their earlier access level.
PS can be my next best friend but don’t know if possible from script.
I know it sounds weird but MS also raised their hand and now the ball is in your court. Any help would be appriciated. Thanks a lot in Advance.
I am on MECM 2002. Standalone Primary.
Answers ( 5 )
Anyone else would like to give it a try please?
To be fair, only you will know what changes or tweaks you made to their access. You could remove their accounts from SCCM and add them back with default permissions and go from there.
Thanks a lot Sir. Any idea about export and import user rights using PS? Pointers will be appreciated so i can write the code.
So, you are trying to restrict the users who have access to the SCCM console for what they can and cannot do, correct? If so, then you need to use RBAC. Assign their roles and scopes. You don’t need to mess with Client Settings as that has nothing to do with the restrictions of the admins. You are just creating an additional mess of client functionality.
Yes Sir that’s the end gole. The challenge here is i need to change it back to how it was before i modified as they should be able to perform all tasks. The restrictions i wanted to apply is for certain period of time.
Can i create a RBAC rule and apply that for all users? The rule will limit the access. When i remove the rule their access should be restored back how it was?