Status Filter Rules Sample: Grant a low right user instance permission of a Task Sequence when it is created.

  • Article

Status filter rules is a feature in ConfigMgr: it triggers an action when a specific status message is received. ConfigMgr has some pre-defined status filter rules. You can define your own status filter rule to fulfill your administrative requirements.

Below is an example on how to use status filter rule to grant a low right user instance permission of a Task Sequence automatically when the Task Sequence is created.

Steps:

1. Write a script to add instance right for a specific user and a package (Task Sequence is a special kind of package):

Addinstanceright.vbs:

'Usage addinstanceright <sitecode> <username> <packageid>

Dim oFilesys, oFiletxt, sFilename, sPath

Set oFilesys = CreateObject("Scripting.FileSystemObject")

Set oFiletxt = oFilesys.CreateTextFile("d:\output22.txt", True)

oFiletxt.WriteLine("This file holds inventory of some kind.")

if (WScript.arguments.count<>3) then

 oFiletxt.WriteLine("Usage addinstanceright <sitecode> <username> <packageid>")

else

 oFiletxt.WriteLine(WSCript.arguments(0))

 oFiletxt.WriteLine(WSCript.arguments(1))

 oFiletxt.WriteLine(WSCript.arguments(2))

end if

Set lLocator = CreateObject("WbemScripting.SWbemLocator")

Set gService = lLocator.ConnectServer(".","root\sms\site_" + WSCript.arguments(0))

Dim permissions

 

set permissions = gService.Get("SMS_UserInstancePermissions").SpawnInstance_()

If Err.Number<>0 Then

   oFiletxt.WriteLine("Couldn't get instance permissions object")

End If

      

permissions.UserName = WSCript.arguments(1)

permissions.ObjectKey = 20 'TaskSequence

permissions.InstanceKey = WSCript.arguments(2)

permissions.InstancePermissions = 7 ' Read modify and delete

 

permissions.Put_

If Err.Number<>0 Then

    oFiletxt.WriteLine("Couldn't commit instance permissions")

    End If

oFiletxt.WriteLine("Instance permissions added")

2. Write a bat file to wrap the command:

Sample CMDWrapper.bat

cscript d:\addinstanceright.vbs %1 %2 %3

3. Create a new Status Filter Rule:

Site Settings -> Status Filter Rules -> New Status Filter Rule

In General Type: Set Site code = <Site Code>, Message ID = 30000, fill in the Name to whatever you want.

In Actions Type: check Run a program, set Program: d:\CMDWrapper.bat %msgsc %msgis01 %msgis02

Please note, for this script:

1. Log file is hard coded to d:\output22.txt

2. There’s no error handling here. We need to check whether the input parameters are correct.

3. Message 30000 status message is for all package creation operations. So the command will be run even for create normal packages.

4. In this script, we grant instance permission to the user who creates this Task Sequence. You can set the user to whoever you want in real scenarios. However, this script doesn’t check whether the user already has class permission or not. So we add instance permission for everyone who creates a package.

 

Some Tips for create scripts for Status Filter Rules:

1. Status Filter Rule is site wide.

2. You can check this link for the complete list of what parameters can used by status filter rule script: https://technet.microsoft.com/en-us/library/bb693758.aspx

3. To know what are msgis0x is for a specific status message, open the status message detail dialogue for that status message and check the properties text box. Eg, for message id =3000, from below dialogue we can tell msgis01 is packageid, msgis02 is username: