- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Page 19 of the installation guide for the SCS Add-on for SCCM lists the SCCM permissions required for Management Controller Discovery. The guide states that you have to give the "Domain Computers" group the built-in "Operations Administrator" role in SCCM and assign that role to all collections and the default security scope. That is crazy! Those permissions give any domain computer account the ability to do anything in SCCM except for change security settings. While I'm sure that a domain computer isn't going to launch the SCCM console and do something, any user who was able to elevate to the domain computer's context would be able to do so.
Does anyone have a minimal list of permissions required for the SCS Add-on to work with SCCM?
Thanks,
--Russel Riley
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Russel,
I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:
Control AMT
Provision AMT
Read
Read Resource
Remote Control
So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).
Hope this helps.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Russel,
I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:
Control AMT
Provision AMT
Read
Read Resource
Remote Control
So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).
Hope this helps.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page