A problem is just a solution waiting to be found

Show specific scripts to MECM (SCCM) console users

Posted on by Remy Kuster

A few days ago one of my colleagues asked me if we couldn’t let the IT helpdesk colleagues run scripts from the console by themselves. Great idea of course because a script can fix an issue and help a user really quick and the user will be helped a lot faster if the helpdesk employees can run the script(s) by themselves instead of having to call a colleague of a different IT team first who can run the scripts. But the console can have a lot of scripts, perhaps you don’t want the helpdesk to be able to run all the created scripts but only a selection of them. So in this post I will show you how to allow a specific script or scripts to be run by the helpdesk employees.

Create Active Directory groups

First let’s create the AD group for the helpdesk employees for basic task operations in MECM and then a second group for allow run scripts. These groups we can use to allow access to the MECM console for the helpdesk see all collections, folders and do basic tasks and allow to deploy certain scripts.

Open Active Directory Users and Computers and right click on the Organizational Unit and select New > Group

Give the group a name, in this case I will name the group: IT-helpdesk-staff

Also create the AD group: IT-helpdesk-Run-Scripts

After creating the groups we can now add a user to the groups, lets add the user helpdesk to both of the groups. Double click on the groups and go to the Members tab, click Add and enter the name of the user. Click Check Names if the user exists and then click OK and OK.

Create Security Role

We now can go to the MECM console and create two Security Roles for the helpdesk. With a security role you can allow certain functions of the console to different user groups. In this case we will create two custom security roles, one with the permission to deploy scripts and the other with remote tools permissions.. You can also create a Security Role only for the run scripts permission.

Open the console and go to: \Administration\Overview\Security\Security Roles. There will be about 15 built-in roles. We will create a copy of one of them and modify the role to meet our needs.

Right click on the role: Remote Tools Operator and select Copy.

Give the Role a name and a description if you want. In this case I will name the role IT-Helpdesk Remote tools and click OK.

Add these extra permissions:

Folder Class > Read > Yes

Site > Read > Yes

Click OK to create the new role.

Now right click on the role: Remote Tools Operator once more and select Copy.

Give the Role a name and a description if you want. In this case I will name the role IT-Helpdesk Run Scripts. The extra permissions needed to be able to run scripts on devices and collections are the following:

Collection > Run Script > Yes

SMS_Scripts > Read > Yes

Click OK to create the new role. Now we have got these two new roles:

Create Security Scope

Now in order to let the helpdesk only see and use the scripts that we want them to see we will create a Security Scope. Go to: \Administration\Overview\Security\Security Scopes. Right click and select Create Security Scope.

Give the Scope a name, in this case i will name it: Script Allowed for helpdesk, you can also add a description and click OK.

Create Administrative Users

Lets create the Administrative users, with this step we can assign the security role IT-Helpdesk we created to the AD group IT-helpdesk-staff but we also have got to create an administrative user for the group IT-helpdesk-Run-Scripts and assign the security role IT-Helpdesk Run Scripts. We have to create two because we want to set different security scopes.

Go to: \Administration\Overview\Security\Administrative Users. Right click and select Add User or Group.

Click Browse and add the IT-Helpdesk-staff group and click OK.

Now we will add the security role we create for the helpdesk. Click Add… at the Assigned security roles section. Select the IT-Helpdesk Role and Click OK.

Click Ok and OK.

Now lets create the other Administrative user.

Go to: \Administration\Overview\Security\Administrative Users. Right click and select Add User or Group.

Click Browse and add the IT-Helpdesk-Run-Scripts group and click OK.

Now we will add the security role we create for the helpdesk. Click Add… at the Assigned security roles section. Select the IT-Helpdesk Run Scripts role and Click OK.

Now Select Add in the Assigned security scopes and collections section and select Security Scope.

Select the scope Script Allowed for helpdesk and click OK.

And remove the Default Security Scope and click OK.

Set Scope on Scripts

Now we want the helpdesk to be allowed to run the scripts:

Bitlocker enabled?
Secureboot enabled?
TPM status

But they must not be able to run the script:

Enable PS Remoting

We can do this by adding the security scope Script Allowed for helpdesk to these scripts:

Bitlocker enabled?
Secureboot enabled?
TPM status

Go to: \Software Library\Overview\Scripts

Right click on each script and select Set Security Scopes:

Check the Script allowed for helpdesk and click OK.

User experience

SysAdmin staff

If a system administrator logs in and starts the console and goes to: \Assets and Compliance\Overview\Devices

Right clicks on a device and selects Run script.

He or she will see all the scripts to deploy to the device.

Helpdesk staff

If an employee of the helpdesk starts the console and goes to: \Assets and Compliance\Overview\Devices

Right clicks on a device and selects Run script.

He or she will see only see the scripts we want him or her to deploy to a device and NOT the script Enable PS Remoting

If you want to know how to create a script in MECM you can go to my post about the Run Script feature.

Theme: Overlay by Kaira