Jul 12 2023 08:34 AM
We have 40+ domain controllers and have been reluctant to use SCCM for managing their monthly Windows Updates. Our security team points out that since SCCM runs under the SYSTEM account, the SCCM team could run scripts to create a user and elevate that user's privileges fairly easily.
Question: Is there a way in SCCM to separate these domain controllers and control who can manage them? We would like only the domain admins to have access to these domain controllers.
Thanks
Jul 13 2023 02:38 AM
SolutionHi @LL10890,
The answer is yes, in SCCM (System Center Configuration Manager), you can separate and control access to domain controllers to ensure that only authorized individuals or groups (in you case Domain Admins) can manage them.
Here's how you can achieve this:
- Create a specific group in SCCM for your domain controllers. This group will include all the domain controller machines.
Create collections in Configuration Manager.
- Assign the necessary administrative roles to the users or groups who should have access to manage the domain controllers. In this case, you would grant Domain Admins access to the domain controller group.
Role-based administration fundamentals - Configuration Manager | Microsoft Learn
Configure role-based administration - Configuration Manager | Microsoft Learn
- Configure the security settings in SCCM to restrict access to the domain controller group. This way, only users or groups with the designated roles and permissions will be able to view and manage the domain controllers within SCCM.
Manage clients - Configuration Manager | Microsoft Learn
By following these steps, you can effectively separate and control who can manage the domain controllers in SCCM.
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.
Kindest regards
Leon Pavesic
Jul 17 2023 08:36 AM
Jul 21 2023 02:44 AM
Jul 21 2023 07:28 AM
Jul 13 2023 02:38 AM
SolutionHi @LL10890,
The answer is yes, in SCCM (System Center Configuration Manager), you can separate and control access to domain controllers to ensure that only authorized individuals or groups (in you case Domain Admins) can manage them.
Here's how you can achieve this:
- Create a specific group in SCCM for your domain controllers. This group will include all the domain controller machines.
Create collections in Configuration Manager.
- Assign the necessary administrative roles to the users or groups who should have access to manage the domain controllers. In this case, you would grant Domain Admins access to the domain controller group.
Role-based administration fundamentals - Configuration Manager | Microsoft Learn
Configure role-based administration - Configuration Manager | Microsoft Learn
- Configure the security settings in SCCM to restrict access to the domain controller group. This way, only users or groups with the designated roles and permissions will be able to view and manage the domain controllers within SCCM.
Manage clients - Configuration Manager | Microsoft Learn
By following these steps, you can effectively separate and control who can manage the domain controllers in SCCM.
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.
Kindest regards
Leon Pavesic