PowerShell

SCRIPT FOR COPYING A CONFIGMGR ADMINISTRATIVE USER

Standard

Recently at work I found myself in the following situation: We have quite a few SCCM administrative users based on AD groups that we needed to copy/clone. Each of the administrative users has a number of custom roles that are restricted to specific collections and security scopes. Doing it manually would be time-consuming and less than optimal. So I set about to see if someone in the community had a tool or a script.

After my initial inquiries came up short, I started taking a good look at the SCCM PowerShell cmdlets, specifically two: Get-CMAdministrativeUser and New-CMAdministrativeUser.

I started by focusing on the following properties: RoleNames, CategoryNames, and CollectionNames. In our test environment, I pulled them with Get-CMAdministrativeUser, assigned them variables, and tried creating my new user with them. It seemed to work decently enough, until I tried it on a more complex administrative user where each of the security roles is restricted to specific collections and scopes (3rd radio button.) It didn’t work properly in this scenario, so I decided to look elsewhere.

Further research led me to the following helpful blog post by Peter van der Woude: https://www.petervanderwoude.nl/post/verify-the-role-based-administration-model-via-powershell/ Go ahead and read his post. I’ll wait…

OK- I had noticed the Permissions property before but it seemed too easy so I hadn’t started there! Peter does a great job breaking down the WMI underpinnings and explaining the Permissions property. I decided to try getting the permissions property with Get-CMAdministrativeUser and using it with New-CMAdministrativeUser. And that did the trick! Really simple.

You can use Peter’s WMI method from his post above to do all kinds of cool things without the ConfigMgr PowerShell module. I was already most of the way there with my basic little script utilizing the module, so I stuck with the cmdlets. If you have the ConfigMgr module already loaded, and your site drive already mapped, etc. (like if you just launched ISE from your SCCM console) then this is what worked for me. You just need to specify your new user, and your existing user that you’d like to copy:

$NewUser = "DOMAIN\New User"
$ExistingUser = "DOMAIN\Existing User"
$ExistingUserProperties = Get-CMAdministrativeUser -Name $ExistingUser
$Permissions = $ExistingUserProperties.Permissions
New-CMAdministrativeUser -Name $NewUser -Permission $Permissions

If you’re curious, and care to display what the Permissions property returns, you’ll notice a number of entries like this (I sanitized the below example to remove all of our organization/site specific stuff.) 

PS <SITE CODE>:\> $Permissions

SmsProviderObjectPath : SMS_APermission
CategoryID            : <CATEGORYID>
CategoryName          : <CATEGORYNAME>
CategoryTypeID        : 29
RoleID                : <ROLEID>
RoleName              : <ROLENAME>

SmsProviderObjectPath : SMS_APermission
CategoryID            : <CATEGORYID>
CategoryName          : <CATEGORYNAME.. Like Limiting Collection>
CategoryTypeID        : 1
RoleID                : <ROLEID>
RoleName              : <ROLENAME>

You’ll notice that it references the WMI class SMS_APermission, like Peter discussed in his blog post. And also from his post, you’ll remember that CategoryType ID 29 references a security scope and CategoryType 1 references a collection.

Learning PowerShell

Standard

I realized awhile ago that learning PowerShell was becoming more important for my career in the Microsoft Systems Management realm.  I thought I would share some of the resources that have helped me on this learning journey.

I first became familiar with Don Jones at the Microsoft Management Summit.  I had the opportunity to sit in on a few of his excellent PowerShell sessions.  Afterward, I purchased his book, “Learn Windows Powershell In A Month Of Lunches.”  It’s hard to communicate dry technical material, and I thought Don did a good job with this book.  I found it helpful.  He also has a lot of useful tech and career type advice on his blog.

Microsoft has some great free online courses at The Microsoft Virtual Academy.  The two PowerShell courses I took were “Getting Started With Powershell 3.0 Jump Start,” and “Advanced Tools And Scripting With Powershell 3.0 Jump Start.”  One of the presenters is Jeffrey Snover from Microsoft, who is the inventor of Powershell!  It doesn’t get much better than that.  Check them out.  They are well worth your time.

I’m fortunate that I have a Powershell savvy colleague that I’ve learned a lot from him.  It’s been invaluable to try out some scripts with his supervision, and dig through some of his for pointers. Learning from your peers is always invaluable.  If you can seek out someone in your organization or a user group that can provide some one-on-one assistance, it really helps.

I’ve also recently renewed my subscription to Windows IT Pro magazine, which is now digital only.  They regularly have PowerShell articles.  You can also follow them on Twitter and subscribe to their emails for info.

Lastly, check out PowerShell.org.  Contributors like Don Jones post articles there, and they have a forum that you can go to for help.