myITforum.com

Welcome to myITforum.com Sign in | Join | Help
in Search

Tech Ramblings from a Higher Ed. Sysadmin

Permissions to remotely enumerate SCCM driver groups.

I have been working on a script for our SCCM OSD task sequences.  For years we have simply had all of our drivers in SCCM and used the Auto Apply Drivers step in the task sequence to get everything to work.  This has been a good approach for our very de-centralized environment where we need to be able to build just about anything.  Recently however we have been trying to move toward a hybrid method.  Basically we want the task sequence to use a specific set of drivers if it is a known model, but fall back to the simple auto apply drivers set if there isn't a driver package / category.

I put together a script that queries SCCM for a list of categories and compares them with the Make & Model of the machine.  My script is largely based on the following: http://blogs.technet.com/b/deploymentguys/archive/2008/04/18/configuration-manager-dynamic-driver-categories.aspx

This was working great under my credentials but I wanted to switch to a least privileged account since this would ultimately be housed in a script.  We have a service account for this type of thing, but when I ran the script using that account I either got an error or an Access Denied message.

After a bit of trial and error and poking around I found that I needed to set the following to get this to work.

DCOM Permissions

  • On your site server run DCOMCNFG
    • Expand Component Services > Computer > My Computer
    • Right click My Computer and select properties
    • Select the COM Security tab
    • Under Access Permissions click Edit Limits
      • Enter your service account and give it Remote Access permissions
    • Under Launch and Activation Permissions click Edit Limits
    • Enter the service account and give it Remote Launch and Remote Activation permissions

WMI Permissions

  • On your site server open Server Manager
    • Expand Configuration and select WMI Control
    • Right click and select properties
    • Select the Security tab
    • Select Root and click the Security button
    • Add your service account and give it Execute Method, Provider Write, and Enable Account

SCCM Permissions

  • Within SCCM you need to give the service account read permissions for All Instances of Device driver

 

Published Jul 08 2011, 08:39 AM by mclanem
Filed under:

Comments

No Comments

About mclanem

Sr Systems Administrator for the College of LSA @ UofM. Also ... MSI Candidate @ School of Information of UofM.
Powered by Community Server (Commercial Edition), by Telligent Systems