Jump to content


SCCM Roles and Responsibilities - Using the Helpdesk as administrators

Recommended Posts

I am an administrator of a large network that is slowly being merged into being managed by SCCM 2012. Currently Updates, SCEP, Application deployment, general troubleshooting, Compliance Rules, etc. are in use, and we're almost to the point of using OSD (several good tests with a few different images).

Throughout the process, we've been assigning security to allow our Helpdesk to deploy images, and they already have the capability deploy software packages. They had been in charge of updates and SCEP patching, but they fell behind and now the Sys Admin team is handling all patching, to include SCEP. They currently do not have the ability to create/edit/deploy task sequences, OS images, drivers packs, compliance rules, they cannot edit or create collections, etc. All my previous experience has been that these items fell under an administrator role, not a helpdesk role.

Management, and some political power grabbing has created a swing in SCCM security that may require that we provide the following to be administered by the helpdesk:

  • Create/Edit/Delete/Deploy Collections (both user and Device)
  • Create/Edit/Delete/Deploy Reports
  • Create/Edit/Delete/Deploy Task Sequences
  • Create/Edit/Delete/Deploy Compliance Rules
  • Create/Edit/Delete/Deploy Software Applications
  • Create/Edit/Delete/Deploy Software Updates
  • Create/Edit/Delete/Deploy Desktop SCCM Policies
  • Create/Edit/Delete/Deploy Antimalware Policies
  • Create/Edit/Delete/Deploy Operating System Images and Bootable PXE Environments

The only way I can think to do this with our current architecture, and stills plit off desktops and servers is to build a CAS server with two different Primary Site Servers (we are a One Primary Site server setup), and split the roles across servers using boundaries to ensure that servers are not being managed by the helpdesk group, and that desktops are not being managed by the server group.

So my questions are these:

  1. Is this viable (is this nuts?)
  2. Is this secure
  3. Will this provide the level of accountability needed to allow two groups that are literally in different buildings to run their appropriate systems without crossover nuightmares
  4. Does this present a risk for system-wide disaster (Server wipe from errant Task Sequence/OSD)
  5. Are there other ways to do it if this is not suggested, and where can I find the docs (whitepapers, etc.)
  6. Does this follow Microsoft best practice for roles within SCCM
  7. Does anyone have any knowledge of articles where this was done and worked, or did not work.

Any and all help is appreciated.


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...