4/07/2011

Restricted Users cannot create a Direct Membership Rule on a Collection programmatically in SCCM

Consider the following scenario:
You have a User in SCCM 2007 who has only restricted permissions in SCCM. For example the User can just read and modify some specific collections, import computers and create Collection Membership Rules. When the User is using the SCCM Console there’s no problem and all tasks can be performed.
You have written a tool (vbscript, vb.net or whatever) which makes this User possible to perform some tasks very easy and fast on your SCCM Server. The User can import a new machine (with name and mac address), but when trying to create a Direct Membership Rule the tools crashes with “Generic failure”.
If you check the smsprov.log file on your SCCM Server you get this error message:
User … has no read resource rights in any collection for this ResourceID

The problem is that you cannot define a “Default Collection” in the SCCM API where the machine is member of from the beginning. As the User has no Read Rights on the all Collections Class it cannot find that Machine and so it cannot create the Membership Rule. Even if you catch the machine’s ResourceID from the ImportMachineEntry function when creating the machine you the tool crashes.

Either you give the User read Permissions for the all Collections Class Rights, (but then the User can see all Machines in SCCM) or you use the following workaround:
When importing the machine entry there’s created a Status Message on your Site Server. This message looks like listed below and has the Message ID 30213:
User "XYZ" imported machine at site "SiteServer - SiteCode" (NetbiosName=YourMachineName, MACAddress=F7:E8:D3:A9:84:FE, SMBIOSGUID=).
Now create a Status Filter Rule which gets triggered from when this MessageID occurs and start a script with the following command line:
cscript.exe YourScript.vbs %msgis04
%msgis04 later contains the Machine name which you have created.
Now the script runs with the Local System Account of your SCCM Server and must create a Collection Membership Rule on any collection:

Any part of this script would look like this:

strComputername = Wscript.Arguments(0)
strCollectionID = “XYZ“
Set instCollection = objSWbemServices.Get("SMS_Collection.CollectionID='" &strCollectionID & "'")
Set instDirectRule = objSWbemServices.Get("SMS_CollectionRuleDirect").SpawnInstance_
instDirectRule.ResourceClassName = "SMS_R_System"
instDirectRule.ResourceID = NameTOResourceID(strComputerName)
instDirectRule.RuleName = strComputername
instCollection.AddMembershipRule(instDirectRule)


After the script has been executed the Users tool should be able to create the Direct Membership Rule.

AddOn: Maybe you have to build in a “wait-routine” in the Users tool until the Machine’s name get resolved into a ResourceID

Do
objSWbemServices.ExecQuery("SELECT * FROM SMS_R_System WHERE Name = '" & strComputerName & "'"
Loop While objSWbemServices.Count = 0

No comments: