Modifying security roles, scopes, collections on multiple administrative users in CM - possible with scripts?
I need to do the following on more than 270 administrative user accounts, and am looking for a scripted way to do this. I've used copilot and created a starter script, but it appears that there are some limitations as to what the SCCM PS modules/functions are able to do with regards to RBAC changes. Copilot also told me to just multi-select a bunch of user accounts in CM, right-click, click properties...if only this worked..lol. Here's the steps in a nutshell:
Add two new roles, remove one old
Role 1 - associate with Scope 1 - and collection 1
Role 2 - associate with Default scope - no collection
The script I have associates both roles to both scopes, and copilot said that's the way it goes, no way to selectively bind role to scope using the PS functions apparently.
I suppose I could just add those scopes/roles (and collections..), remove the old role, run that against a .csv with a list of admin users + their respective collections, but then I'd still have to touch each account to fix the extra bindings.
Any thoughts/ideas on how to properly automate this, or am I SOL?
Thanks!
PS Code
# ===========================================
# SCCM RBAC Assignment (Microsoft Supported)
# ===========================================
$SiteCode = "DEA"
$ProviderMachineName = "cmserver1"
$Users = @(
"CORPLEAR\Site Admins"
)
# Role -> Scope mapping
$RoleScopeMap = @(
@{
Role = "Local Site Admin 2"
Scope = "SiteITScripts"
},
@{
Role = "Read-only Analyst"
Scope = "Default"
}
)
# Import SCCM module
Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1"
# Connect to the site
Set-Location "$SiteCode`:"
foreach ($User in $Users) {
Write-Host "`nProcessing $User" -ForegroundColor Cyan
# Ensure administrative user exists
if (-not (Get-CMAdministrativeUser -Name $User -ErrorAction SilentlyContinue)) {
Write-Host "Creating administrative user $User" -ForegroundColor Yellow
New-CMAdministrativeUser -Name $User | Out-Null
}
foreach ($Entry in $RoleScopeMap) {
$RoleName = $Entry.Role
$ScopeName = $Entry.Scope
# Validate role exists
if (-not (Get-CMSecurityRole -Name $RoleName -ErrorAction SilentlyContinue)) {
Write-Warning "Security role '$RoleName' not found. Skipping."
continue
}
# Validate scope exists
if (-not (Get-CMSecurityScope -Name $ScopeName -ErrorAction SilentlyContinue)) {
Write-Warning "Security scope '$ScopeName' not found. Skipping."
continue
}
# Assign role
Add-CMSecurityRoleToAdministrativeUser `
-AdministrativeUserName $User `
-RoleName $RoleName `
-ErrorAction SilentlyContinue
# Assign scope
Add-CMSecurityScopeToAdministrativeUser `
-AdministrativeUserName $User `
-SecurityScopeName $ScopeName `
-ErrorAction SilentlyContinue
Write-Host "Assigned '$RoleName' + '$ScopeName'" -ForegroundColor Green
}
}
Write-Host "`nRBAC assignments complete." -ForegroundColor Green