다음을 통해 공유


Minimum Permissions Needed To Perform Client Push In Configuration Manager 2012

Overview:

A question that seems to come up in the forums a lot is "What Permissions Are Required To Allow An User To Push The Configuration Manager Client?".

In this post, I'm going to walk through the process of delegating the minimal permissions needed to perform "Client Push" on a resource in Configuration Manager 2012. I'm also going to show how you can use RBA Viewer.

Things to know before starting:

Permissions will be delegated using Role-Based Administration (Security Role) .

We will being using the default "Remote Tools Operator" Security Role as our template to create a custom Security Role for client push purposes. This is because this Security Role has the closest permissions needed for client push.

The following Permissions are needed to perform a Client Push Installation:

  • Collection
    • Read
    • Modify Resource
  • Site
    • Read

How To Do It:

If you haven't used RBA Viewer it is part of the Configuration Manager SP1 Toolkit, I would highly recommend trying it out. RBA Viewer essentially allows you to emulate the built in "Security Roles" and select custom Permissions and see what actions console will appear to the user who has those permissions.

I used RBA Viewer and determined that the "Remote Tools Operator" security role had the closest permissions needed to perform client push so we will use this Security Role as a template for our custom role for Client Push. Below is a screenshot of the permissions for the "Remote Tools Operator" Security Role.

The "Remote Tools Operator" has the following permissions setup by default:

  • Collection
    • Read
    • Remote Control
    • Read Resource
    • Control ATM

In RBA Viewer I removed Remote Control, Read Resource, and Control ATM.

I added the "Modify Resource" permissions and clicked Analyse. You will now see that Install Client is now available in RBA Viewer.

Alright, So we determined the minimum permissions required to perform "Client Push" . We will now need to create the "Custom Security Role" for Client Push.

In the SCCM Console, Administration > Security > Security Roles, We will need to create a Copy of the "Remote Tools Operator" Security Role. The Copy option just allows you to create a new Security Role using the permissions from the Security Role that you Copied from.

After you click Copy the "Copy Security Wizard" will open, Delegate the permissions mentioned above and remove the "Remote Tools" specific permissions.

The Read permission on Site is needed to select the Site drop down when performing "Client Push".

So now that we have our custom Security Group for Client Push. I added a new Administrative user (CONTOSO\Justin) and granted the "Client Push" Security Role to that user.

Now when this user runes the console, they will have very limited permissions, but can still use the Install Client on a device.

Hope this helps!

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use

Comments

  • Anonymous
    January 01, 2003
    Great work! Thanks.
  • Anonymous
    January 01, 2003
    @ Janathan, Thanks I will see if I still have those images around I can fix.
  • Anonymous
    April 23, 2014
    Nice article. Thanks.
  • Anonymous
    April 30, 2014
    Very Helpful thank you
    it helped me today
  • Anonymous
    August 13, 2014
    Perfect! Good work, this helped a bunch.
  • Anonymous
    December 16, 2014
    Reading through this now - thank you! Not to be picky, but it should be "Control AMT", not "Control ATM".
  • Anonymous
    January 23, 2015
    Very useful. Links to pictures seem dead now.
    • Anonymous
      May 02, 2018
      Fixed
  • Anonymous
    February 05, 2015
    Any chance of getting the pictures back, I tried following the steps but I don't get the install client after doing the analyze.
  • Anonymous
    July 01, 2015
    I see Install Client now, but my site is not in the drop down when i go to install the client to a device. Any ideas?

    Thanks for this!
  • Anonymous
    July 06, 2015
    Did you give read permissions to the site?
  • Anonymous
    July 06, 2015
    Also I will be fixing the images soon
  • Anonymous
    August 04, 2015
    No images. And when I log into my Windows Live account it says the page doesn't even exist!
  • Anonymous
    October 29, 2015
    Seems like a great post but images are broken.
  • Anonymous
    November 24, 2015
    Please review if your site is assigned to security scope of Client push role.
  • Anonymous
    March 23, 2016
    Thank you.I dont see any picture, but the texte help. I add Modify Resource at collection and Read for Site, and voilà.
    • Anonymous
      May 02, 2018
      Fixed the pictures.
  • Anonymous
    September 14, 2016
    Would be REALLY helpful to have the pics working.
    • Anonymous
      May 02, 2018
      Sorry about this will try and get these fixed.
  • Anonymous
    December 28, 2016
    Guys. I have just one questions. Does this user (CMPush) has to be the part of local administrators group on client or not?
    • Anonymous
      May 02, 2018
      Yes, it does.
  • Anonymous
    December 28, 2016
    @Justin. Is there any way we can install SCCM client without providing local admin rights or domain admin rights for SCCM client push user. for example, in your case Contoso\CMPush.
    • Anonymous
      May 02, 2018
      The push account would need to have local admin rights for client push to work.