draker

I found the solution. In our environment we have separate admin accounts. The console is ran using that admin account. I simply had to add my admin user as a local admin on my workstation. I've also had other admins test this and it is working for them. Problem solved!

Hello! We have an SCCM 2012r2 (No CUs) environment setup in a single AD site. It consists of a single primary site server, one DP, and a dedicated MSSQL box. No PKI configured. We are using self signed certs that are created as part of the wizard. We have delegated admin rights for other users. The problem we are having is these delegated admins are no longer able to create Task Sequence Media. No longer, meaning this used to work. When a delegated admin is attempting to create bootable media, they are prompted for credentials after the Summary step in the wizard. These credentials will fail and leave the following in the logs: CreateTSMedia.log: Failed to open to WMI namespace '\\oursccmsite.com\root\SMS\site_101' (80070005) Failed to open WMI namespace '\\oursccmsite.com\root\SMS\site_101' (0x80070005) CreateTsMedia failed with error 0x80070005, details='' 80070005 = access denied. Media creation does work with my credentials, which has local admin on all site servers. This leads me to believe the issue is actually related to WMI permissions on the primary site server? Are there some additional permission I need to check on the server side to allow for media creation? Do I need read access to WMI on the primary site server or write access as well? Things I've tested: Disable host firewalls = Test failed Create test user with full global admin permissions within SCCM = Test failed Added test user to local admins group on primary site server = Test Failed In all of these scenarios, using my admin credentials will allow for media creation. Any feedback would be appreciated. Thank you!

Yeah, correct. I just don't think that hotfix applies in my situation. Was there another slow download issue noted/resolved in a later CU?

I recall seeing issues with slow OSD deployments and there was a fix for that in one of the CU's. I don't know if that fix applies to deployments that are not OSD. I do agree that upgrading to R2 SP1 is a good idea.. although with SCCM 2016 around the corner I was hoping to delay a bit.

We are experience a strange issue with some application deployments. It appears application deployments containing a large number of files are very slow to deploy. Examples being Adobe products and Autodesk products, but not limited to these applications. Initially, I thought perhaps network bandwidth might be the issue however, if I download a file directly from the DP via http, it downloads at normal speed. On the flipside, if we deploy autodesk, the download will sit at 0% on the client for a very long time. Hours even or days even.. As a test we zipped the files and did a test deployment transferring a large zip, and it downloaded quickly. Looking at the IIS logs I see files downloading to the client, but at a very slow rate. Generally I'll see a 401 - not authorized, followed by a 200 right after with domain\computeraccount$ for credentials. Smaller deployments work great. There are no bits throttling settings specified. No 404 errors seen in the IIS logs. No bandwidth throttling in IIS. bitsadmin /list /allusers usually shows 'CONNECTING' state. I am at a loss about where to look next to troubleshoot this issue.

Thanks for the replies! I will give it a shot next week. Do you run the wizard with all clean-up options selected?

Hello, I have read several articles on WSUS and SCCM. Many articles don't mention the fact that WSUS if not maintained will eventually slow to a grinding halt because it needs monthly maintenance ran on the DB. This article actually describes what I am trying to avoid pretty well! http://blog.coretech.dk/kea/house-of-cardsthe-configmgr-software-update-point-and-wsus/ I've also been told that no changes should be made to WSUS because SCCM controls the WSUS server. At this point I have edited the membership on all expired and superseded updates. I would like to run the cleanup wizard on the WSUS server.. and if it fails I would like to run manual obsolete update queries on the DB as described in the linked article above. I have ran these on our standalone WSUS instances with great success. My concern here is that somehow SUP will break because updates are missing or something. I have read the articles on manual cleanups of the source directory etc, that's not what I am looking to do. I am looking to maintain WSUS so my nightly syncs don't start failing.. etc. Can anyone speak to what is described in the linked article above? Is running the wsus cleanup wizards monthly safe?

Premier confirmed sharing the logs in the Logs folder is fine.

For those of you that have delegated OU admins how do you handle access to the server logs? Do you delegate read access to the logs folder?

And updates here? Looking to see how your roles look compared to mine.

I can confirm, that's how the collections are setup.

I'll confirm this tomorrow.

I would love to compare them side by side. Also, I've got some other questions for you regarding delegation. But I'll wait until I can compare.

For the computer import role:

Thanks for the input so far. I'll post what I have setup so far. It sounds very similar. btw, I'll try that query. OU Admin Read Only Permissions: Permissions assigned to: OU Admins Specific Scope Rolls Assigned to OU Admin:

Also, I'm trying to find info about SMB shares on the site server. What other servers need access to these shares? I am going to firewall them off as needed. I am guessing OU admins may want access to the \\site-server\SMS_101\Logs directory at least and possibly a few more. Any advise here? Thanks!

Hello, I am looking for a bit of help with admin delegation in SCCM 2012 r2. I think I've got a good amount of the delegation done but I'm really looking for a how-to or a reference article that could better explain what components should be delegated. What I am trying to achieve: We are offering SCCM as a service to other administrators in our forest. Administrators will be granted full access to administrate workstations and servers that reside in there specific OU in Active Directory. This means create collections, import computers, deploy software, OSD, install clients, reporting, inventory.. etc. Basically anything an administrator would need to manage computers and servers. Stuff like site integration and boundary groups etc, will be done by the service sysadmins. What I've done so far: I've used RBAviewer to create two new rolls: OU Read Only Admin, OU Admins Specific Scope Imported all computers in each of the OU's to ORG collections (ORG - OU Systems), and assigned admin users and scoped them to the ORG collections. Created security scopes for each OU and associated users to those scopes. This all seems to be working well so far, but I know I am missing a few things for example client settings. Another thing I am trying to figure out is how I can scope 'Import Computer Information' so that when someone imports information it will actually go to their OU. Right now, even if I select a specific collection the computer information always ends up in All Systems and/or Devices. I know I can't be the first one setting this up. If anyone has a good write-up or a list of permissions that one would typically delegate in this situation that would be great! As always, if I left anything out let me know and I can provide more information. Thank you.

thanks! Got it all figured out. Again for info see the technet post.

Do I need to setup domain trusts and then use a service account?

Hi, I've been using some of the SCCM guides to setup our new environment. I'm pretty new to SCCM and they have been very helpful! We are in the process of rolling out SCCM 2012 R2. We will be managing < 25k clients. We will be running one primary site, a dedicated MSSQL box, and a single DP. Our first goal is to use it to automate patching in our test/dev environments. The issue we are running up against is our prod SCCM environment is in one domain and out dev environments span multiple domains. I'm trying figure out the best way to manage all of these servers without creating a service account at the root domain level for security scope reasons. Here is an example of the domains. Prod: rootdomain.com - root domain ad.rootdomain.com - Prod AD domain Dev: adlab.rootdomain.com - Dev tritest.adlab.rootdomain.com - Dev devad.adlab.rootdomain.com - Dev devid.rootdomain.com - Dev devcv.rootdomain.com - Dev What would be the best way to handle managing these servers? Thanks.