Justin Chalfant's Blog

Justin Chalfant's Configuration Manager Blog

Minimum Permissions Needed To Perform Client Push In Configuration Manager 2012

Minimum Permissions Needed To Perform Client Push In Configuration Manager 2012

  • Comments 4
  • Likes
Overview:

A question that seems to come up in the forums a lot is "What Permissions Are Required To Allow An User To Push The Configuration Manager Client?".

In this post, I'm going to walk through the process of delegating the minimal permissions needed to perform "Client Push" on a resource in Configuration Manager 2012. I'm also going to show how you can use RBA Viewer.

Things to know before starting:

Permissions will be delegated using Role-Based Administration (Security Role).

We will being using the default "Remote Tools Operator"Security Role as our template to create a custom Security Role for client push purposes. This is because this Security Role has the closest permissions needed for client push.

The following Permissions are needed to perform a Client Push Installation:

  • Collection
    • Read
    • Modify Resource
  • Site
    • Read

How To Do It:

If you haven't used RBA Viewer it is part of the Configuration Manager SP1 Toolkit, I would highly recommend trying it out. RBA Viewer essentially allows you to emulate the built in "Security Roles" and select custom Permissions and see what actions console will appear to the user who has those permissions.

I used RBA Viewer and determined that the "Remote Tools Operator" security role had the closest permissions needed to perform client push so we will use this Security Role as a template for our custom role for Client Push. Below is a screen shot of the permissions for the "Remote Tools Operator" Security Role.

Image 011

The "Remote Tools Operator" has the following permissions setup by default:

  • Collection
    • Read
    • Remote Control
    • Read Resource
    • Control ATM

In RBA Viewer I removed Remote Control, Read Resource, and Control ATM.

I added the "Modify Resource" permissions and clicked Analyse. You will now see that Install Client is now availablein RBA Viewer.

Image 012

Alright, So we determined the minimum permissions required to perform "Client Push". We will now need to create the "Custom Security Role"for Client Push.

We will need to create a Copy of the "Remote Tools Operator"Security Role. The Copy option just allows you to create a new Security Role using the permissions from the Security Role that you Copied from.

Image 013

After you click Copy the "Copy Security Wizard"will open, Delegate the permissions mentioned above and remove the "Remote Tools" specific permissions.

Image 014

The Read permission on Site is needed to select the Site drop down when performing "Client Push".

Image 015

So now that we have our custom Security Group for Client Push. I added a new Administrative user (CONTOSO\CMPush) and granted the "Client Push" Security Role to that user.

Image 016

Here's what what the console will look like logged in as CONTOSO\CMPush when the user is only a part of the "Client Push" Security Role.

Image 017

Hope this helps!

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use

Comments
  • Nice article. Thanks.

  • Very Helpful thank you
    it helped me today

  • Great work! Thanks.

  • Perfect! Good work, this helped a bunch.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment