Status Filter Rules Sample: Grant a low right user instance permission of a Task Sequence when it is created.
Status filter rules is a feature in ConfigMgr: it triggers an action when a specific status message is received. ConfigMgr has some pre-defined status filter rules. You can define your own status filter rule to fulfill your administrative requirements.
Below is an example on how to use status filter rule to grant a low right user instance permission of a Task Sequence automatically when the Task Sequence is created.
Steps:
1. Write a script to add instance right for a specific user and a package (Task Sequence is a special kind of package):
Addinstanceright.vbs:
'Usage addinstanceright <sitecode> <username> <packageid>
Dim oFilesys, oFiletxt, sFilename, sPath
Set oFilesys = CreateObject("Scripting.FileSystemObject")
Set oFiletxt = oFilesys.CreateTextFile("d:\output22.txt", True)
oFiletxt.WriteLine("This file holds inventory of some kind.")
if (WScript.arguments.count<>3) then
oFiletxt.WriteLine("Usage addinstanceright <sitecode> <username> <packageid>")
else
oFiletxt.WriteLine(WSCript.arguments(0))
oFiletxt.WriteLine(WSCript.arguments(1))
oFiletxt.WriteLine(WSCript.arguments(2))
end if
Set lLocator = CreateObject("WbemScripting.SWbemLocator")
Set gService = lLocator.ConnectServer(".","root\sms\site_" + WSCript.arguments(0))
Dim permissions
set permissions = gService.Get("SMS_UserInstancePermissions").SpawnInstance_()
If Err.Number<>0 Then
oFiletxt.WriteLine("Couldn't get instance permissions object")
End If
permissions.UserName = WSCript.arguments(1)
permissions.ObjectKey = 20 'TaskSequence
permissions.InstanceKey = WSCript.arguments(2)
permissions.InstancePermissions = 7 ' Read modify and delete
permissions.Put_
If Err.Number<>0 Then
oFiletxt.WriteLine("Couldn't commit instance permissions")
End If
oFiletxt.WriteLine("Instance permissions added")
2. Write a bat file to wrap the command:
Sample CMDWrapper.bat
cscript d:\addinstanceright.vbs %1 %2 %3
3. Create a new Status Filter Rule:
Site Settings -> Status Filter Rules -> New Status Filter Rule
In General Type: Set Site code = <Site Code>, Message ID = 30000, fill in the Name to whatever you want.
In Actions Type: check Run a program, set Program: d:\CMDWrapper.bat %msgsc %msgis01 %msgis02
Please note, for this script:
1. Log file is hard coded to d:\output22.txt
2. There’s no error handling here. We need to check whether the input parameters are correct.
3. Message 30000 status message is for all package creation operations. So the command will be run even for create normal packages.
4. In this script, we grant instance permission to the user who creates this Task Sequence. You can set the user to whoever you want in real scenarios. However, this script doesn’t check whether the user already has class permission or not. So we add instance permission for everyone who creates a package.
Some Tips for create scripts for Status Filter Rules:
1. Status Filter Rule is site wide.
2. You can check this link for the complete list of what parameters can used by status filter rule script: https://technet.microsoft.com/en-us/library/bb693758.aspx
3. To know what are msgis0x is for a specific status message, open the status message detail dialogue for that status message and check the properties text box. Eg, for message id =3000, from below dialogue we can tell msgis01 is packageid, msgis02 is username:
Comments
- Anonymous
September 30, 2015
I've got just about everything you listed here working, except for the last piece. When I add msgis01 all the way to msgis10 I don't get any results. The other Variables are working as expected. I get the computer name, and the Description text, and that's it. Here's my usage: "Computer: %msgsys|Message: %msgdesc|Task Sequence: %msgis01|Advertisement: %msgis02|%msgis03|%msgis04|%msgis05|%msgis06|%msgis07||%msgis08|%msgis09|%msgis10