Jonathan Robbins at

A systems management enthusiast searching for the bleeding edge of technology

Notes from ConfigMgr 2012 CEP Theme 5: Role-Based Administration & Collections

The following notes are what I gleaned from today's Community Evaluation Program theme--Role-based Administration.

- Mark Florida is the speaker today.  He is one of the Principle Lead Program Managers at Microsoft.

- 18 Attendees on the webcast.  Another decent decline from the previous meeting.

- Brandon Linton is the November CEP contest winner.  Congratulations Brandon!

- Session Takeaways

- Sites are no longer used to support administrator segmentation

- Attempt to stop or limit complex collection query logic

- Collection updating/eval is done for you.  No need to update collection membership anymore

- Role Based Administration

- Security roles

- What types of objects can I see and what can I do to them

- Similar to security options available today in CM 2007

- Security scope

- Which instances can I see and interact with.

- I can say from my experience with the lab that this is a nice feature because admins will only see resources in the console based on the scopes that are assigned to them

- Collection limiting

- Which resources can I interact with

- admin has one or more security roles and scopes associated

- Security management is simplified by defining once for the entire hierarchy since it is global data

- Today security is tightly coupled with the assigned primary site

- In 2012, admins can just use the CAS (Central Admin Site) to administer resources.  Primaries are only needed to scale.

- If a user is responsible for deploying software, the configmgr admin just assigns the Application Deployment role to that user.

- Collections are global data within the hierarchy

- Collection membership will be different based on the site but the total collection member count will be the displayed at all sites

- Collection limiting is accomplished by put collections limits within the scope of another

- 2012 will ship with two read-only root collections

- All systems and All Users and User Groups

- Based on role you can create, modify, delete, read and deploy software or baselines to the collection

- Collection limiting will be great to have because of the effort involved today to manually limit based on querying within the collection rules today

- Can define on a per-role basis the scopes that can be added to an administrator

- Collection Migration from 2007

- Not coded yet

- Typed Collections

- User and Device

- No more sub collections

- Organizational Folders

- Composable Collections

- Membership Rules

- Direct, Query, Include (use for staggered deployments), Exclude (simple reuse of exclusion)

- Member Evaluation - Fast, uses deltas instead of full eval, every ten minutes, based on R3 fast collection support

- I see that you can create folders now instead of subcollections but isn't this just a different term for the same thing?

- Collection migration from 2007

- Sub-collections will become an organizational folder

- Or they will create a new collection within this org folder if it has membership rules or adverts targeted to it

- If a collection is limited to or sub/linked to another collection then the whole collection structure is migrated to org folders/collections

- User and device mixed collections are out of scope for 2012.  Partner/community opportunity!

- collection definitions are globally replicated

- An option will be offered to limit a collection for an existing 2012 collection (currently not available in Beta 1)

- direct membership collections will be migrated as is

- collections that are limited to multiple collections and collections that query by site code will migrated as is


- Jeff says that they will have a contest to increase attendee count.  The number only maxed out at 26 for this session.  Try to make it to the Live Meetings people!

- Next Meeting is December 15th--OS Deployment! Hoorah!


No Comments