Sign in to follow this  
Followers 0
barnold

Problems Importing New Machines by Name and MAC Address



7 posts in this topic

Hello All,

 

I'm currently banging my head against a problem that I'm sure has a simple solution that I just can't see through the weeds right now. :) Thus I'm turning to you other gurus to see if you can help open my eyes!

 

First, a little background: as I'm sure is common, we have one primary site (no CAS) and I have several divisions who all are their own Config Manager administrators for their own areas. Thus, I've been thankful for Roll Based Administration in Config Manager 2012 to give me better control over the granular security necessary to accomplish this without utilizing separate sites for each political unit. I've run into a snag with importing new computers by MAC address and Computer Name though.

 

The new collection system holds that each collection has to be limited by another. I don't want to give access to "All Systems" to each Config Manager admin, so I create their own "root collection" which is based off of an AD query of their division's root OU in Active Directory. I then directly assign this collection to them in place of "All Systems" using the security section of the Administration work space. However, it turns out that Microsoft says no one can "modify" or "delete" a collection that is directly assigned to them in this fashion, which in turn means they cannot import new machines (via right-clicking on devices and choosing "import computer information"). They also can't import new machines into "All Systems" because they don't have those privileges. Therefore, they are stuck.

 

Like I said, I'm sure this situation has to have an easy answer that I'm missing. Can anyone provide some insight here? Can I grant these departmental admins just enough rights to "All Systems" to read that collection and also to import new computers to it but nothing else (i.e. I can't let them deploy to it).

 

Thanks in advance for any insight the community can provide!

 

Regards,

Ben

Share this post


Link to post
Share on other sites


Why are you manually adding computers? You are using a query to pull comps from the OU right? This should all be automatic and would only require your admins to click on update membership.

Share this post


Link to post
Share on other sites

That's a good point Tay. We manually import computers when we get new machines not before in our organization. We manually import them so that we can then PXE boot for re-imaging purposes. True, their root collection is query-based, but they create all kinds of direct membership collections and manually add new machines in to any number of other locations.

Share this post


Link to post
Share on other sites

You could create a PXE VLAN separate from your network just for the ports that are used to re-image. Then assign your O/S task sequences to the All Unknown computers collection. VLAN so your guys don't accidentally image the whole company and unknown collection will detect any new devices so you won't have to deal with mac addresses. I use USB to PXE boot so I don't know if it would work in your environment. Maybe someone can shed some light on automating PXE from network. I thought they did away with manually adding new comps in 2012 but I can't verify.

Share this post


Link to post
Share on other sites

They definitely didn't get rid of manually adding new computer information in 2012, anyweb has a guide on it on this site. I'll dig it up and link it here.

Share this post


Link to post
Share on other sites

Here's the link I was looking for.

 

Anyway, I can import machines manually just fine as the full administrator for our entire primary site. The people to whom I've delegated smaller sections of control (i.e. several security roles, a custom security scope, and their own custom "root" collection) can't import machines because they can't import into the collection I've directly assigned them nor can they import into "all systems."

 

I'm stumped.

 

I appreciate the thought Tay, but your solution seems a bit more complicated than I'd like to tackle if only because it involves getting the networking team involved. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0