Jump to content


Photo

Problems Importing New Machines by Name and MAC Address

all systems import MAC RBA role based administration new hardware

  • Please log in to reply
6 replies to this topic

#1 barnold

barnold

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 05 December 2012 - 08:58 PM

Hello All,

I'm currently banging my head against a problem that I'm sure has a simple solution that I just can't see through the weeds right now. :) Thus I'm turning to you other gurus to see if you can help open my eyes!

First, a little background: as I'm sure is common, we have one primary site (no CAS) and I have several divisions who all are their own Config Manager administrators for their own areas. Thus, I've been thankful for Roll Based Administration in Config Manager 2012 to give me better control over the granular security necessary to accomplish this without utilizing separate sites for each political unit. I've run into a snag with importing new computers by MAC address and Computer Name though.

The new collection system holds that each collection has to be limited by another. I don't want to give access to "All Systems" to each Config Manager admin, so I create their own "root collection" which is based off of an AD query of their division's root OU in Active Directory. I then directly assign this collection to them in place of "All Systems" using the security section of the Administration work space. However, it turns out that Microsoft says no one can "modify" or "delete" a collection that is directly assigned to them in this fashion, which in turn means they cannot import new machines (via right-clicking on devices and choosing "import computer information"). They also can't import new machines into "All Systems" because they don't have those privileges. Therefore, they are stuck.

Like I said, I'm sure this situation has to have an easy answer that I'm missing. Can anyone provide some insight here? Can I grant these departmental admins just enough rights to "All Systems" to read that collection and also to import new computers to it but nothing else (i.e. I can't let them deploy to it).

Thanks in advance for any insight the community can provide!

Regards,
Ben

#2 Tay

Tay

    Advanced Member

  • Members
  • PipPipPip
  • 102 posts

Posted 05 December 2012 - 10:06 PM

Why are you manually adding computers? You are using a query to pull comps from the OU right? This should all be automatic and would only require your admins to click on update membership.

#3 barnold

barnold

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 05 December 2012 - 11:00 PM

That's a good point Tay. We manually import computers when we get new machines not before in our organization. We manually import them so that we can then PXE boot for re-imaging purposes. True, their root collection is query-based, but they create all kinds of direct membership collections and manually add new machines in to any number of other locations.

#4 Tay

Tay

    Advanced Member

  • Members
  • PipPipPip
  • 102 posts

Posted 05 December 2012 - 11:21 PM

You could create a PXE VLAN separate from your network just for the ports that are used to re-image. Then assign your O/S task sequences to the All Unknown computers collection. VLAN so your guys don't accidentally image the whole company and unknown collection will detect any new devices so you won't have to deal with mac addresses. I use USB to PXE boot so I don't know if it would work in your environment. Maybe someone can shed some light on automating PXE from network. I thought they did away with manually adding new comps in 2012 but I can't verify.

#5 barnold

barnold

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 06 December 2012 - 04:19 AM

They definitely didn't get rid of manually adding new computer information in 2012, anyweb has a guide on it on this site. I'll dig it up and link it here.

#6 barnold

barnold

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 06 December 2012 - 04:23 AM

Here's the link I was looking for.

Anyway, I can import machines manually just fine as the full administrator for our entire primary site. The people to whom I've delegated smaller sections of control (i.e. several security roles, a custom security scope, and their own custom "root" collection) can't import machines because they can't import into the collection I've directly assigned them nor can they import into "all systems."

I'm stumped.

I appreciate the thought Tay, but your solution seems a bit more complicated than I'd like to tackle if only because it involves getting the networking team involved. :)

#7 barnold

barnold

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 07 December 2012 - 08:44 PM

For those that may be interested, I did find a blog post finally that gets me a little closer towards my goal. Here is the link for those that might like to read through it.





Also tagged with one or more of these keywords: all systems, import, MAC, RBA, role based administration, new hardware

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Locations of visitors to this page