SCCM Security Tips
Permissions in SCCM are quite straight forward if used properly, but can easily become complex.
In Multi domain environment, the best practice is to use the Domain security Grups to delegate user to SCCM roles.
The key to understanding the security model is to review the elements that make up SCCM’s security model :
Here is example of the basic groups that should be created in AD:
It’s good habit not to assign explicit rights to users
Explicit rights assignments do not neccesarily take precedence over group inherited rights. Adding rights to users in SCCM adds up to the inherited rights. There are no explicit deny rights in SCCM, so you don’t have to worry about having conflicting rights.
For these SCCM rights to be effective, the user must be a member of the SMS Admins local group on the SMS Provider computer. Adding user rights through the Object Class Security Right Properties dialog box or the Object Instance Security Right Properties dialog box does not give the user or group the necessary membership in SMS Admins.