Recently at work I found myself in the following situation: We have quite a few SCCM administrative users based on AD groups that we needed to copy/clone. Each of the administrative users has a number of custom roles that are restricted to specific collections and security scopes. Doing it manually would be time-consuming and less than optimal. So I set about to see if someone in the community had a tool or a script.
After my initial inquiries came up short, I started taking a good look at the SCCM PowerShell cmdlets, specifically two: Get-CMAdministrativeUser and New-CMAdministrativeUser.
I started by focusing on the following properties: RoleNames, CategoryNames, and CollectionNames. In our test environment, I pulled them with Get-CMAdministrativeUser, assigned them variables, and tried creating my new user with them. It seemed to work decently enough, until I tried it on a more complex administrative user where each of the security roles is restricted to specific collections and scopes (3rd radio button.) It didn’t work properly in this scenario, so I decided to look elsewhere.
Further research led me to the following helpful blog post by Peter van der Woude: https://www.petervanderwoude.nl/post/verify-the-role-based-administration-model-via-powershell/ Go ahead and read his post. I’ll wait…
OK- I had noticed the Permissions property before but it seemed too easy so I hadn’t started there! Peter does a great job breaking down the WMI underpinnings and explaining the Permissions property. I decided to try getting the permissions property with Get-CMAdministrativeUser and using it with New-CMAdministrativeUser. And that did the trick! Really simple.
You can use Peter’s WMI method from his post above to do all kinds of cool things without the ConfigMgr PowerShell module. I was already most of the way there with my basic little script utilizing the module, so I stuck with the cmdlets. If you have the ConfigMgr module already loaded, and your site drive already mapped, etc. (like if you just launched ISE from your SCCM console) then this is what worked for me. You just need to specify your new user, and your existing user that you’d like to copy:
$NewUser = "DOMAIN\New User"
$ExistingUser = "DOMAIN\Existing User"
$ExistingUserProperties = Get-CMAdministrativeUser -Name $ExistingUser
$Permissions = $ExistingUserProperties.Permissions
New-CMAdministrativeUser -Name $NewUser -Permission $Permissions
If you’re curious, and care to display what the Permissions property returns, you’ll notice a number of entries like this (I sanitized the below example to remove all of our organization/site specific stuff.)
PS <SITE CODE>:\> $Permissions
SmsProviderObjectPath : SMS_APermission
CategoryID : <CATEGORYID>
CategoryName : <CATEGORYNAME>
CategoryTypeID : 29
RoleID : <ROLEID>
RoleName : <ROLENAME>
SmsProviderObjectPath : SMS_APermission
CategoryID : <CATEGORYID>
CategoryName : <CATEGORYNAME.. Like Limiting Collection>
CategoryTypeID : 1
RoleID : <ROLEID>
RoleName : <ROLENAME>
You’ll notice that it references the WMI class SMS_APermission, like Peter discussed in his blog post. And also from his post, you’ll remember that CategoryType ID 29 references a security scope and CategoryType 1 references a collection.