kukubau

The following paragraph could benefit of some tweaking and a screenshot: "After creating the GPO, you'll want to limit it to only apply to your ConfigMgr server (or servers). To do that select the Delegation tab of the GPO, and click on Advanced button. Select the Authenticated Users security group and then scroll down to the Apply Group Policy permission and un-tick the Allow security setting. This denies authenticated users from applying this GPO setting Next, click on the Add button, for Select this object type make sure to select Computers from the Object Types and select the group or Computer object that you want to have this policy apply to. Then select the group (e.g. ConfigMgr Servers) and scroll the permission list until you see the Apply group policy option and then tick the Allow permission as shown here." Where one adds the user (in this case the Configmgr Server), the "Add Group or User" pops out with Read, Edit . It is important to mention here that one should click next and not to change the set 'Read" permission. kukubau

This guide is good, but has one major drawback and a show-stopper for me. It is mainly based on powershell scripting. If you add the user account part, security permissions, groups etc. done in the classical way, I'll start recommending your to SCCM newbies again. My 2 cents.

Hi Great guide. One thing I'd like to ask you. Isn't possible to add the Domain\Administrator account instead of a local account and defined by the $YourUserName variable e.g. $YourUserName = "Administrator" ? I don't see a point of logging with that user account or running SCCM console with Run as another user credentials every time. It would make my life easier. If I modify that line in the PS script $YourUserName = "Administrator" , I receive this error: Administrator is already part of the local Administrator group in CM0 and under '\Administration\Overview\Security\Administrative Users' in SCCM. Am I'm missing something? Much appreciated. kukubau