SheilaA2

Oh my gosh... you are right... I was thinking OU! Thank you! I'm going to run this by the team to see what they think.

Not a bad idea but I'm not sure that it will work in my situation since a workstation can only belong to one AD group. Since there are various software packages/collections, a device or workstation will need to belong to multiple collections.

We have a pretty basic SCCM 2012 setup for now with a single primary site with AD intergration. Things are working great but we are at the point where we would like to begin implementing security for the rest of the IT staff. I'm hoping that someone can help me with an issue that I'm having or suggest a better way of doing things. I'm new to the SCCM world and am learning as I go so if you need to ask any additional questions, please ask away. Basically, we are implementing device collections based on software needs. So if a computer requires MS Project, we have a collection to which that application has been deployed to. We then add the computer resource to that collection. The issue that I'm having is from a security perspective. Essentually, we would like to be able to have our helpdesk staff add or remove resources from these collections based on their software needs. The only way that I've been able to achive this is to give them "modify" permissions on collections via a security role. The problem with this is that they are able to modify the collection properties. I don't want them to be able to do this.... What am I doing wrong or missing? Thank you for your time.