Adding users to Configuration Manager 2007 with specific Class Permissions via VBScript

Download “AddUserWithPermissions_1.0.zip” AddUserWithPermissions_1.0.zip – Downloaded 202 times – 2 KB

The Configuration Manager 2007 SDK, has a lot of missing examples and parts that are not well documented.

One of them is the part about User permissions and how to add them.

During the development of the install script for our HTA solution, I had to create a HTA user, with special permissions for the different classes on the site server.

I create function called “SetConfigMgrPermission” for this specific purpose.

It is actually a quite simple function.

I requires:

  1. Connection: this is a standard configmgr connection, created by the connect function from the SDK. The downloadable script contains my version of this function too.
  2. username: Username of the user you want to give permissions.
  3. objectKey: the class you want to add the permissions for (collection, advertisement etc.). Read more below.
  4. ClassPermissions: the permissions given to the user! Read more below.

The ObjectKey Property

this property takes an integer with the class specified. The SDK explains it here: http://msdn.microsoft.com/en-us/library/aa508792.aspx

Unfortunately the table is incomplete! since I had to add the “computer Association” class, and it wasn’t there!

I have created this table instead, it contains more than the SDK version. Please share your knowledge for more class numbers and I will add them!

Value Meaning
1 Collection
2 Package
3 Advertisement
4 Status Message
5 (Not Used)
6 Site
7 Query
8 Report
9 Software metering rule
10 Applicable updates summary
11 Configuration Items
14 OS Install package
15 Deployment Template
16 Deployment
17 Computer Association
18 OS image
19 Boot image package
20 Task sequence package
23 Driver package
24 Deployment package
26 Asset intelligence

 

Some of you might wonder “How did you find the correct number when it is’nt in the SDK??“.

I did it by creating a small WMI Script using one of my all time favorite and most commenly used utilities called WMICodeCreator! Get it for free here

I created small script to show all the permission objects on the server by listing all instances in SMS_UserClassPermissions.

Script contained the following code (if you want to try it without using the WMICodeCreator utility)

I made a small modification to the script’s select statement, to only include the user I am using to test the names in this case Coretech\FTP, but since it is WMI, the backslash has to be written twice.

and then I added one class at a time, until I had written down all of them ūüôā

Next challenge is

The ClassPermissions Property

The manual says:

ClassPermissions

Data type: uint32

Access type: Read/write

Qualifiers: Bits

Permissions granted to a user for a specific class object. Zero or more of these bit fields can be specified. Bit fields:

READ (0)

MODIFY (1)

DELETE (2)

DISTRIBUTE (3)

CREATE_CHILD (4)

REMOTE_CONTROL (5)

ADVERTISE (6)

MODIFY_RESOURCE (7)

ADMINISTER (8)

DELETE_RESOURCE (9)

CREATE (10)

VIEW_COLL_FILE (11)

READ_RESOURCE (12)

It might make more sense to you if I put it in a bit table:

Name Value
Read 1
Modify 2
Delete 4
Distribute 8
Create_Child 16
Remote_control 32
Advertise 64
Modify_resource 128
Administer 256
Delete_Resource 512
Create 1024
View_coll_file 2046
Read_Resouce 4096
Modify Collection Setting 2097152

 

unfortunately the table is incomplete!, use the same trick as the objectkey above.

The easiest way to give the correct permissions is to add a user with the permissions needed, and then use the WMI script to get the values for the ClassPermissions and objectKey.

but please notice that SCCM might add “Read” permission when you add another permission, please check how many is added, when you select the permission you want to investigate and do the calculation.

To make use of these value we have to add them together, lets take an example:

This user needs to have added permissions for Collection class objects, which has the number 1

The permissions added is 2101891.

If we check the table we get the following calculation:

1 + 2 + 128 + 512 + 4096 + 2097152 = 2101891!!

In the example we add permissions for multiple classes, and the only thing you have to do is to run the function more than once.

I hope this explanation has given you a better understanding of the permission table in Configuration Manager.

About the Author:

Jakob Gottlieb Svendsen

Twitter: @JakobGSvendsen

Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (http://mvp.microsoft.com/en-us/default.aspx), Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.

Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.

He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at http://blog.ctglobalservices.com/jgs

  • Co-founder: PowerShell User Group Denmark
  • Speaker at MMS 2016, Minneapolis (www.mmsmoa.com)
  • SCU Europe 2014, 2015, 2016 (www.systemcenteruniverse.ch)
  • Microsoft TechEd North America 2014, Houston
  • NIC 2012,2013,2014,2015, Oslo (www.nic.com)
  • Microsoft CampusDays 2011, 2013, Copenhagen
  • Microsoft TechDays 2015, Sweden (www.techdays.se)
  • Microsoft Partner Event: New in SC2012 SP1
  • User group meetings (PSUG.DK , SCUG.DK/BE/NO, AZMUG + more)
  • Microsoft Certified Trainer.
  • Microsoft Scripting Guys Forum Moderator

Main working areas:

  • Automation (Azure Automation, SMA, SCO)
  • Windows Azure Pack / Azure Stack
  • System CenterVisual Studio Team Services / Team Foundation Server
  • Development:C#.Net, VB.NET, VBScript, PowerShell, Service Manager, OpsMgr, ConfigMgr
  • Orchestrator
  • Windows Azure Pack / Azure Stack

Training:

  • Azure Automation
  • Service Management Automation
  • System Center Orchestrator
  • PowerShell, VBScript, C#.Net, VB.Net
  • Windows Azure Pack / Azure Stack Development Workshops

Leave A Comment