SCCM Granular Security using PowerShell and SQL

SCCM Granular Security

SCCM Console Security

Your company has two (or more) different groups that utilize SCCM. To keep these groups separate and to ensure that one group can not affect another groups resources the following is needed.

Initial settings:

  • The SCCM Central Site has two local users that are used as templates in SCCM Security. The two local users are disabled.
    • User Name = SCCM-Template-WorkstationGroup
    • User Name = SCCM-Template-ServerGroup
  • Two collections have been created and dynamically populated with the appropriate resources.
    • WorkstationGroup
      • Contains only workstations
    • ServerGroup
      • Contains only servers
  • Two folders have been created in the Packages node
    • WorkstationGroup – Packages
    • ServerGroup – Packages
  • Two folders have been created in the Advertisements node
    • WorkstationGroup – Advertisements
    • ServerGroup – Advertisements
  • You granted the appropriate security rights in the SCCM Console for both users.

Unfortunately the above method doesn’t allow for inherited permissions.

Example: ‘User A’ is a member of the ‘SCCM.WorkstationGroup’ group. The ‘SCCM.WorkstationGroup’ group has rights to a Collection named ‘WorkstationGroup’. If ‘User A’ creates a subcollection, the other members of the ‘SCCM.WorkstationGroup’ group will not have rights to that new subcollection, only UserA will.

That is where these scripts come in. Open the attachment for more details.