Jump to content


Recommended Posts

Hi everybody!

 

We have a SCCM 2007 R2 environment with nearly 20 secondary sites under 1 central site. Now it comes to security permissions delegations to the local admin at the local sites that they can do their Windows 7 Rollout. I created a security structure in SCCM with a flat hierarchie of groups in the AD. For the moment it works fine.

A few days ago we had the situation that seems to clear all PXE flags to the "All Systems" collections. Many machiens that will get an OS over a Task Sequence were still in the OS Deployment collection (mandentory advertised), that means that these machine would have get a new OS after the next PXE request (default value!). In the end nothing happens, because we noticed that very fast. I just stopped our local WDS Service and deleted the direct membership of the machines in the OSD collections. Pig had ;)

I'm very scared about that, because the next time that happens we may be not so fast.

The first question that I have: How can I figure out who deleted the PXE flag? I searched in several log files, queried the Status Messages, but nothing. Anybody knows where I can find that?

The second interesting is: How can I prevent that a delegated user (also like everybody!) can clear the PXE flags on a completly collection?? (What also might be possible to use a script that the direct membership of the computers will be deleted after a successful OSD. I guess I saw somewhere a script like this...)

 

Thanks in advance!

 

Christian

Share this post


Link to post
Share on other sites


Just double click your task sequence and go to the advanced tab. Make the task sequnce available only for Vista x64. In the boot order make sure that the HD is the first boot device of the clients. Finally put a password on the PXE points. This way you don't have to worry that someone accidently triggers a reimaging of your whole environment.

You can't see who cleared the PXE flags because this action is not altering the collection.

Share this post


Link to post
Share on other sites

Hi Peter!

 

Thanks for your response. Yes, you're right to changing the the first boot device to the first harddisk. The thing is that we've decided that we want to have the NIC as first boot device, in case we need to refresh a machine on a different time zone when nobody is in the office. This fact also exlude the PXE password :(

When there is no way to see who clears the PXE flag, does anybody know how I can prevent that somebody clicks on a collection and clears for all included ressources the PXE flag?

Thanks!

 

Christian

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...