Adding users to Configuration Manager 2007 with specific Class Permissions via VBScript

[download id=”41″]

The Configuration Manager 2007 SDK, has a lot of missing examples and parts that are not well documented.

One of them is the part about User permissions and how to add them.

During the development of the install script for our HTA solution, I had to create a HTA user, with special permissions for the different classes on the site server.

I create function called “SetConfigMgrPermission” for this specific purpose.

It is actually a quite simple function.

I requires:

1. Connection: this is a standard configmgr connection, created by the connect function from the SDK. The downloadable script contains my version of this function too.
2. username: Username of the user you want to give permissions.
3. objectKey: the class you want to add the permissions for (collection, advertisement etc.). Read more below.
4. ClassPermissions: the permissions given to the user! Read more below.

' Collection - 1
' Read, Modify, Modify Resource, Read Resource, Modify Collection Setting, Delete resource - 2101891
SetConfigMgrPermission connection,username, 1 , 2101891

' Site - 6
' Read, Importy Computer Entry - 524289
SetConfigMgrPermission connection,username, 6 , 524289
	
' Computer association - 17
'Create - 1024
SetConfigMgrPermission connection,username, 17 , 7

'//----------------------------------------------------------------------------
'//  Procedures
'//----------------------------------------------------------------------------

Function SetConfigMgrPermission(connection,username,objectKey, ClassPermissions)
    Dim permissions
	On Error Resume Next   
    ' Create the user class permissions object.
    Set permissions = connection.Get("SMS_UserClassPermissions").SpawnInstance_()
    If Err.Number<>0 Then
        WriteLog "Couldn't get class permissions object"
        Exit Function
    End If
     
    permissions.UserName = userName
    permissions.ObjectKey = objectKey 'collections
    permissions.ClassPermissions = ClassPermissions 
    
    permissions.Put_
    
  
    If Err.Number<>0 Then
        WriteLog "Couldn't commit permissions"
        Exit Function
    End If

End Function 

The ObjectKey Property

this property takes an integer with the class specified. The SDK explains it here: http://msdn.microsoft.com/en-us/library/aa508792.aspx

Unfortunately the table is incomplete! since I had to add the “computer Association” class, and it wasn’t there!

I have created this table instead, it contains more than the SDK version. Please share your knowledge for more class numbers and I will add them!

Some of you might wonder “How did you find the correct number when it is’nt in the SDK??“.

I did it by creating a small WMI Script using one of my all time favorite and most commenly used utilities called WMICodeCreator! Get it for free here

I created small script to show all the permission objects on the server by listing all instances in SMS_UserClassPermissions.

Script contained the following code (if you want to try it without using the WMICodeCreator utility)

I made a small modification to the script’s select statement, to only include the user I am using to test the names in this case Coretech\FTP, but since it is WMI, the backslash has to be written twice.

strComputer = "CTSCCM01" 
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\SMS\site_DK1") 
Set colItems = objWMIService.ExecQuery( _
    "SELECT * FROM SMS_UserClassPermissions where username = ""CORETECH\\FTP"" ",,48) 
For Each objItem in colItems 
  

    WScript.Echo "-----------------------------------"
    Wscript.Echo "SMS_UserClassPermissions instance"
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "ClassPermissions: " & objItem.ClassPermissions
    Wscript.Echo "ObjectKey: " & objItem.ObjectKey
    Wscript.Echo "UserName: " & objItem.UserName

Next

and then I added one class at a time, until I had written down all of them 🙂

Next challenge is

The ClassPermissions Property

The manual says:

ClassPermissions

Data type: uint32

Access type: Read/write

Qualifiers: Bits

Permissions granted to a user for a specific class object. Zero or more of these bit fields can be specified. Bit fields:

READ (0)

MODIFY (1)

DELETE (2)

DISTRIBUTE (3)

CREATE_CHILD (4)

REMOTE_CONTROL (5)

ADVERTISE (6)

MODIFY_RESOURCE (7)

ADMINISTER (8)

DELETE_RESOURCE (9)

CREATE (10)

VIEW_COLL_FILE (11)

READ_RESOURCE (12)

It might make more sense to you if I put it in a bit table:

unfortunately the table is incomplete!, use the same trick as the objectkey above.

The easiest way to give the correct permissions is to add a user with the permissions needed, and then use the WMI script to get the values for the ClassPermissions and objectKey.

but please notice that SCCM might add “Read” permission when you add another permission, please check how many is added, when you select the permission you want to investigate and do the calculation.

To make use of these value we have to add them together, lets take an example:

' Collection - 1
' Read, Modify, Modify Resource, Read Resource, Modify Collection Setting, Delete resource - 2101891
SetConfigMgrPermission connection,username, 1 , 2101891

This user needs to have added permissions for Collection class objects, which has the number 1

The permissions added is 2101891.

If we check the table we get the following calculation:

1 + 2 + 128 + 512 + 4096 + 2097152 = 2101891!!

In the example we add permissions for multiple classes, and the only thing you have to do is to run the function more than once.

I hope this explanation has given you a better understanding of the permission table in Configuration Manager.