We have a SCCM 2007 R2 environment with nearly 20 secondary sites under 1 central site. Now it comes to security permissions delegations to the local admin at the local sites that they can do their Windows 7 Rollout. I created a security structure in SCCM with a flat hierarchie of groups in the AD. For the moment it works fine.
A few days ago we had the situation that seems to clear all PXE flags to the "All Systems" collections. Many machiens that will get an OS over a Task Sequence were still in the OS Deployment collection (mandentory advertised), that means that these machine would have get a new OS after the next PXE request (default value!). In the end nothing happens, because we noticed that very fast. I just stopped our local WDS Service and deleted the direct membership of the machines in the OSD collections. Pig had
I'm very scared about that, because the next time that happens we may be not so fast.
The first question that I have: How can I figure out who deleted the PXE flag? I searched in several log files, queried the Status Messages, but nothing. Anybody knows where I can find that?
The second interesting is: How can I prevent that a delegated user (also like everybody!) can clear the PXE flags on a completly collection?? (What also might be possible to use a script that the direct membership of the computers will be deleted after a successful OSD. I guess I saw somewhere a script like this...)
Thanks in advance!