Using Collection limitations in Configuration Manager 2012

In my previous post I blogged about migrating collections from ConfigMgr. 2007 to ConfigMgr. 2012. This post will focus on some of the great collection changes you will see in ConfigMgr. 2012. First a quick recap of the new features:

  • There are separate collections for Users and Devices. You can’t mix objects the two objects in the same collection anymore.
  • There are two top collections, All Systems and All Users. Those collections can’t be deleted.
  • All collections must be limited to another collection.
  • Linked collections do not exist any longer.
  • Sub collections do not exist any longer.
  • Collections are part of the global dataset, meaning that collections will be visible at all sites.
  • Two new query rules exist, Include and Exclude.

Using collection limitations

A very common question in the forum is how to split up administration of Servers and Workstations. For many this has been done by installing multiple ConfigMgr. 2007 sites. with ConfigMgr. 2012 you can control access by using RBAC (Role Based Access Control). By default the product ships with 13 predefined security roles.


In this example I will assign two different AD groups the Application administrator role and a limit the scope to the correct top level collection.

  1. Navigate to Overview, Security and Permissions, Administrative Users, Right click and create new user group
  2. Click Browse and select the correct group, in my example Desktop Admins.
  3. Click Add and assign the Application administrator role.
  4. Click Add and select Collection.


  5. Select Device collections.
  6. Select the correct top level collection. In this example I have All workstations which is the top level collection for all my desktops. Click OK to close the window.


  7. Remove all unwanted collections by selecting them and click Remove.
  8. Click Add and assign a security scope. In my example I have added the Default scope.


  9. Click OK.
  10. When you log in as a Desktop admin user all you will see, are the collections limited to the All Workstations collection.


  11. If you later limit another collection to All Workstations that collection will automatically be shown.
  12. In this example I have modified the collection properties for an existing collection and limited the collection to All Workstations.



  13. That’s it, security is not a valid reason to have multiple primary sites in ConfigMgr. 2012.
By | 2017-08-22T13:09:52+00:00 April 25th, 2011|Configuration Manager (SCCM)|4 Comments

About the Author:

Kent Agerlund
Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.


  1. […] Using Collection limitations in Configuration Manager 2012 from Kent Agerlund (He talks about the security permission settings in […]

  2. Kevin Wornell December 16, 2015 at 20:45 - Reply

    I cannot get this to work. I followed these instructions and my user can see all Device collections. I would love to be able to limit what they can see in SCCM 2012 R2 SP1

  3. Henri Brasseur February 25, 2016 at 12:47 - Reply

    Does it allow me to choose to deploy an application to different collections at the same time ? for example, I have a device collection named YYY. And 2 others collections named XXX and ZZZ that have the collection YYY in their limitation collection.

    If i set a deployment for the collection YYY, does it apply to the XXX and ZZZ collection ?

    thanks in advance

  4. shakti October 12, 2017 at 20:42 - Reply

    i create a new collection and changed the limiting collection from one boundary to another and later that was the reason of temp collection being deleted after 10 min of creation. some RCA by experts suggested that the limiting collection change from one boundary to another limiting collection boundary was the reason and there is something to do with RBAC on the sql side which created a null value in the database and was blocking for new collection from creating and was deleting the temp collections created from API. could that be a reason or there might be someother issue for the reason of temp collection which were created through API getting deleted after being created within 10-15 min.

Leave A Comment