Jump to content


"Insufficient Access Rights" for Publishing Status Despite System Management Container Permissions

Recommended Posts

Hey Guys / Niall -


I recently built a new SCCM environment with 4 Secondary servers for an upcoming domain migration and have just about finished it. When looking in the console under "Active Directory Forests", I see that under "Publishing Status" it says "Insufficient Access Rights."
The permissions for the "Systems Management" container seem correct. Looking within it, I see that it has created objects for the Primary + 2 of the 3 Secondary sites - but that's it. Below you can see the contents of the Systems Management container currently. AH1 is the Primary site with ABQ & TUL Secondaries. The 3rd Secondary is missing completely...
I personally didn't extend the schema or assign rights, but here's how it is currently configured.
When looking under the Security tab of the System Management container's Properties, I see that there is an AD Security Group named "SCCM Site Servers" with full rights. I've also verified that all of the SCCM Site Servers (including the primary and all secondaries) have been added to this group. No specific user / service accounts have been added. Aside from that group, the following exist:
  • SELF (No rights)
  • Authenticated users (Read)
  • SYSTEM (Full Rights)
  • DOMAIN\Domain Admins (Full Rights)
  • DOMAIN\Enterprise Admins (Full Rights - Inherited)
  • DOMAIN\Administrators (Read & Write but not Full - Inherited)
  • DOMAIN\Pre-Windows 2000 Compatible Access (No Rights)
If I examine the Properties of the Forest within the console, the option to discover sites & subnets in the AD forest is enabled and set to use the computer account of the site server. The Publishing tab has all 4 (Primary + 3 Secondaries) checked and no domain / server specified.
I tried adding the hostname of the Secondary site which wasn't listed in the SM container directly via Delegating Access. When viewing Advanced properties of the container's security, the added hostname looks to have the same configuration as the AD Group. Once added, I unchecked it's site under Publishing, applied, clicked ok, went back to Publishing, checked it, applied, then clicked OK again. So far, no changes.
Not 100% sure if this would attempt to reinitiate it, though. After I make changes in attempts to resolve, how can I best verify they are successful if not the above?
Finally, I looked through all ad* logs and even though I didn't look in great detail, I didn't see anything recent that stood out.
Any suggestions for resolving this? Thanks!

Share this post

Link to post
Share on other sites


I got it working. I delegated full control to another security group which contains all SCCM Service accounts which got it working. Not sure why since it has been set to use the computer's account from the beginning, but it worked and added the data needed.


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...