Problem: We have a junior admin/contractor, that has a need to modify a specific set of collections at our central SMS/ConfigMgr site. These collections have standing advertisements, so junior can assist software deployment requests by adding or removing workstation names from this specific set of collections (not mess with advertisements :).
Solution: Basically, the way this script works, given a parent collection node for a site, it enumerates each child collection object. Checks for the existence of a specified new group in the security Instances permissions. If the group is not found, it adds the group and assigns read + modify permissions to that new Instance permission. Add read only to the SMS/ConfigMgr site and now junior can do his work without exposing all collections to anything nasty. The permissions could be easily modified as well...
Always test in a lab SMS/ConfigMgr test site first before using on a production site. Thanks also to Greg Ramsey for providing the sample subcollection evaluation code.
An attachment is also provided for you, download and rename to vbs...
'~~~ Start Copy here (watch line wrap) ~~~
' Author: Steve Thompson
' 9-16-2005 v1.00
' Thanks also to Greg Ramsey and the SMS 2003 SDK for the rest...
' The first 4 lines of code will need to be modified...
' SMS Site server name
Const strSMSServer = "SMSSERVER"
' SMS Site server code
Const strSMSSiteCode = "XXX"
' Parent Collection Node ID
strCollID = "XXXNNNNN"
' Name of security identifier to be added to Instance level permissions
' of each child collection
' Depending on the way you have implemented sms security,
' this information will be in the form of domain\group, domain\user,
' localcomputer\group or localcomputer\user
' USE ALL UPPER CASE for comaparison to work!!
txtSMSGroup = "DOMAIN\GROUP"
' Echo collection id & collection name as a verification
wscript.echo strCollID & vbTAB & GetCollectionName(strCollID)
SetSubCollections strCollID, 3
Sub SetSubCollections(strCollID, intSpace)
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objLocator.ConnectServer(strSMSServer , _
"root\sms\site_" & strSMSSiteCode )
Set colSubCollections = objSWbemServices.ExecQuery _
("select * from SMS_CollectToSubCollect where ParentCollectionID = '" & strCollID & "' order by Name")
For each objSubCollection in colSubCollections
strSubCollectionID = objSubCollection.SubCollectionID
AlreadySet = False
Set colRights = objSWbemServices.ExecQuery( "Select * From SMS_UserInstancePermissionNames WHERE ObjectKey=1 AND InstanceKey='" & strSubCollectionID & "'" )
' Check for existence of nt group, if it exists, set flag, exit for loop...
For Each objRight in colRights
If UCASE(objRight.Username) = txtSMSGroup Then
' msgbox strSubCollectionID & ": " & txtSMSGroup & " Found!"
AlreadySet = True
Exit For
End If
Next
If AlreadySet = False Then
' msgbox strSubCollectionID & ": " & txtSMSGroup & " Not Found! Changing permissions..."
Set objNewRight = objSWbemServices.Get("SMS_UserInstancePermissions").SpawnInstance_()
objNewRight.UserName = txtSMSGroup
' for complete list of .ObjectKey & .InstancePermissions Values
' reference the SMS 2003 SDK documentation.
objNewRight.ObjectKey = 1 'collections
objNewRight.InstanceKey = strSubCollectionID
' bit fields get added together...
objNewRight.InstancePermissions = 1+2 'just Read and Modify
objNewRight.Put_
End If
Next
MsgBox "Done!"
End Sub
Function GetCollectionName(strCollID)
Set objCollection = GetObject( "WinMgmts:\\" & strSMSServer & _
"\root\SMS\site_" & strSMSSiteCode & _
":SMS_Collection.CollectionID='" & strCollID & "'")
GetCollectionName = objCollection.Name
End Function
'~~~ End Copy here ~~~
Note: repost from 1/12/2006