One popular request amongst SCCM admins is the ability to set folder permissions. Unfortunately folders aren’t securable objects in SCCM 2007 so the response usually was “Sorry, no can do”. Now that was before we knew/applied the power of WMI eventing. We have taken 2 baby steps in WMI eventing for ConfigMgr admins so far.
Magicians usually don’t reveal how their Magic works, but I’ll spill the beans for once on this one.
Folders aka sms_objectcontainernode objects do not have the ability to be secured. Or alternatively put they don’t have their own objectkey within the sms_securedobject class and hence you cannot create an instance of sms_userinstancepermissions to define security on them.
The following list are securable objects:
SMS_Package, SMS_Advertisement, SMS_Query, SMS_Report, SMS_MeteredProductRule, SMS_ConfigurationItem, SMS_OperatingSystemInstallPackage, SMS_ImagePackage, SMS_BootImagePackage, SMS_TaskSequencePackage, SMS_DriverPackage, SMS_Driver, SMS_ConfigurationItem (Configuration baseline).
So setting permissions on folders does not work, however we could envision creating an object with the same name as the folder for each folder we create. In other words if I create a folder “virtualapps” in my packages node, than I could create a dummy package called “virtualapps”. This package would be a securable object, and I would be able to set any permissions applicable to packages on that virtualapps package.
So that’s the general idea, duplicate your folder names as securable “dummy” objects. We will then use wmi eventing to copy over the permissions applied on the dummy object to the freshly created/moved object in the folder.
So far for the general introduction. Now, how do I know when an item is being added to a folder. That’s easy enough the link between a folder (sms_objectcontainernode) and the object is stored as an instance of sms_objectcontaineritem. So subscribing to objects being added to a folder is as simple as executing the notification query:
SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA ‘SMS_ObjectContainerItem’
See WMI eventing doesn’t have to be difficult at all.
All that is left to do is
- write a script that subscribes to these events
- Once an event is fired, identify the foldername of the folder that had an object added (based on the containernodeid)
- find the “dummy” object of the same name and objecttype (oh yeah, forgot to mention that sms_objectcontainernodes do have an objecttype so that the names only need to be unique within the objecttype
- Copy the instancepermissions of the “dummy” object over to the object that was added to the folder (or targetinstance.instancekey in WMI eventing ling)
That’s it 4 easy steps and we are good to go. You can find the script to do this attached to this blogpost.
I will go over the code in Part2 of this blogpost and explain what it is I am doing.
Donwload the script from skydrive here: http://cid-2c4ac2127eae73d5.skydrive.live.com/self.aspx/Public/bloglinks/inheritfolderpermissions-standalone2.vbs