In System Center 2012 Configuration Manger we have several roles that we ship with the product. By default we offer a general ‘Operating System Deployment Manager’. This is a fairly broad role that has a lot of access. The ‘Operating System Deployment Manager’ role combined with the access to All Systems, required to allow for computer import, may be too open for some environments. Below are some simple steps to make a role specific for just importing computers. This will allow additional scoping and help prevent an administrator from accidently deploying to All Systems.
First off, we need to create a custom security role and a restricted scope:
Now we need to setup a user:
If anyone is logged in, remember to close and reopen the console to ensure the permissions are correct.
Now you are done. If you assign the roles and scopes to an admin as described here, you end up with a user who can:
The admin will not be able to deploy to All Systems like the built-in role, so this is a more locked down approach.
Copy the information in red into a new XML file.
Thanks to Maayan Bar-Niv for contributing to the post.
John VintzelMicrosoft Corporation| Sr. Program Manager | System Center Configuration Manager | twitter: jvintzel
This posting is provided "AS IS" with no warranties, and confers no rights.