Configuration Manager PowerShell - Administrative Model and Collection Creation
A problem of delegated administration
I was recently on-site with a customer that had very specific requirements in regards to which Administrative Users had access to add devices to collections for Software Distribution. The design that they had come up with was not working as they had expected. After some discussion, we came up with the following model.
The requirements are as follows:
- Separate Servers and Workstations
- Provide access to the group that creates deployments (enterprise wide)
- Each Department Manager should have access to deploy software to any device in their department (via Direct Memebership)
- Within each department, a Junior Admin (or Service Desk Staff) should be able to manage deployments to a smaller subnet of systems in each department
This sounds pretty easy at first, but the tradeoff is the administrative overhead. Lots of collections that need to be created for each Software Distribution.
This sounds like the perfect opportunity to leverage PowerShell to automate collection creation!
PowerShell Collection Creator
There are 2 Configuration Manager PowerShell CmdLets that we need to use here:
- New-CMDeviceCollection
- Add-CMDeviceCollectionIncludeMembershipRule
We need this to be an easily repeatable process with the following inputs
- CSV or text file with collection names
- Title of the Application to be deployed
- Site Code of the Site Server to create the collections on
I like to use CSV files, so I created the following simple CSV file to use as input
First we need to create the "All Workstations" Collection and limit it to the "All Systems" Collection and the "All Workstations Deployments' Collection".
New-CMDeviceCollection -Name 'All Workstations' -LimitingCollectionName 'All Systems'
New-CMDeviceCollection -Name 'All Workstations Deployments' -LimitingCollectionName 'All Systems'
Since these are both 1 time created collections, it simpler to set the membership rules in the console to determine the membership of the 'All Workstations' and 'All Workstations Deployments' collection. A sample query many look like:
select * from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows NT Workstation%"
Next, we need to create the departmental and bench collections. This we will use the CSV file for. This is again a one-time task.
import-csv C:\working\AppCollections.csv | % {New-CMDeviceCollection -Name $_.collection -LimitingCollectionName $_.LimitingCollection}
The results should look like this (I put all my collections into a folder)
Finally, we are ready to create a reusable script to run each time we want to create a new set of applications for deployment.
This is going to be done in two parts.
- Create the Departmental Collections
- Create the Deployment Collection with Include rules
The script prompts for the "Application Title" and then imports the Configuration Manager powershell module. It then changes context to the Site and executes the collection creation.
Static variables are set for the path to the CSV file and the Site Code.
The following is sample code (with comments)
And the resulting collections look like
I organize the collections using two folders, Enterprise Deployment and Regional Deployments
Administrative Model
Now, we can create Administrative Users that match up with the collections.
Note that you will still need to setup the appropriate Security Roles and Security Scopes to determine what actions and objects that the Administrative Users should have rights to.
When are Workstations Dept A Admin logs in, they only have access to the Dept A collections
When logged in as the Workstations Dept A Build, you only have access to the Workstations Dept A Build Collections
Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose.
This sample assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures. Microsoft support professionals can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific needs. If you have limited programming experience, you may want to contact a Microsoft Certified Partner or the Microsoft fee-based consulting line at (800) 936-5200.
For more information about Microsoft Certified Partners, please visit the following Microsoft Web site: https://partner.microsoft.com/global/30000104