Jump to content




BzowK

"Insufficient Access Rights" for Publishing Status Despite System Management Container Permissions



Recommended Posts

Hey Guys / Niall -

 

I recently built a new SCCM environment with 4 Secondary servers for an upcoming domain migration and have just about finished it. When looking in the console under "Active Directory Forests", I see that under "Publishing Status" it says "Insufficient Access Rights."
The permissions for the "Systems Management" container seem correct. Looking within it, I see that it has created objects for the Primary + 2 of the 3 Secondary sites - but that's it. Below you can see the contents of the Systems Management container currently. AH1 is the Primary site with ABQ & TUL Secondaries. The 3rd Secondary is missing completely...
post-9090-0-70668000-1488677508.png
I personally didn't extend the schema or assign rights, but here's how it is currently configured.
When looking under the Security tab of the System Management container's Properties, I see that there is an AD Security Group named "SCCM Site Servers" with full rights. I've also verified that all of the SCCM Site Servers (including the primary and all secondaries) have been added to this group. No specific user / service accounts have been added. Aside from that group, the following exist:
  • SELF (No rights)
  • Authenticated users (Read)
  • SYSTEM (Full Rights)
  • DOMAIN\Domain Admins (Full Rights)
  • DOMAIN\Enterprise Admins (Full Rights - Inherited)
  • DOMAIN\Administrators (Read & Write but not Full - Inherited)
  • DOMAIN\Pre-Windows 2000 Compatible Access (No Rights)
  • ENTERPRISE DOMAIN CONTROLLERS (No Rights)
If I examine the Properties of the Forest within the console, the option to discover sites & subnets in the AD forest is enabled and set to use the computer account of the site server. The Publishing tab has all 4 (Primary + 3 Secondaries) checked and no domain / server specified.
I tried adding the hostname of the Secondary site which wasn't listed in the SM container directly via Delegating Access. When viewing Advanced properties of the container's security, the added hostname looks to have the same configuration as the AD Group. Once added, I unchecked it's site under Publishing, applied, clicked ok, went back to Publishing, checked it, applied, then clicked OK again. So far, no changes.
Not 100% sure if this would attempt to reinitiate it, though. After I make changes in attempts to resolve, how can I best verify they are successful if not the above?
Finally, I looked through all ad* logs and even though I didn't look in great detail, I didn't see anything recent that stood out.
Any suggestions for resolving this? Thanks!

Share this post


Link to post
Share on other sites


Update:


I got it working. I delegated full control to another security group which contains all SCCM Service accounts which got it working. Not sure why since it has been set to use the computer's account from the beginning, but it worked and added the data needed.


Thanks!


Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×