Moving collection objects

Published on by configmgryyo

Hello again.

There are two WMI methods in the smsprovider for managing members of a collection (accessible through a script or powershell):
AddMembershipRule
DeleteMembershipRule

These are usually added in scripts to automate the inclusion of machines in collections, usually during the installation of the operating system in the execution of the task sequence.

But when we have a secure environment in ConfigMgr we can find events such as the following when running, visible in the smsprovider, which controls access to objects in the database:

ExecMethodAsync: SMS_Collection.CollectionID = “SIT00001” :: AddMembershipRule SMS Provider date 2:57:12 PM 18128 (0x46D0)
Requested class = SMS_Collection SMS Provider date 2:57:12 PM 18128 (0x46D0)
Requested num keys = 1 SMS Provider date 2:57:12 PM 18128 (0x46D0)
CExtProviderClassObject :: DoExecuteMethod AddMembershipRule SMS Provider date 2:57:12 PM 18128 (0x46D0)
* ~ * ~ E: \ cm1610_rtm \ sms \ siteserver \ sdk_provider \ smsprov \ sspcollection.cpp (945): Unable to update collection. Insufficent rights. ~ * ~ * SMS Provider date 2:57:14 PM 18128 (0x46D0)
* ~ * ~ Unable to update collection. Insufficent rights. ~ * ~ * SMS Provider date 2:57:14 PM 18128 (0x46D0)

This can be generated even when the user has permissions on the two collections involved, source and destination.

Why this situation?

As you can see documented at https://social.technet.microsoft.com/Forums/en-US/5dae90b9-c44a-4257-b8f3-0e6e7dd93405/unable-to-update-collection-insufficent-rights?forum=configmanagergeneral, Apart from premissions on these two collections, the user must have permissions in the limiting collection of the destination collection.
Since it seems that the object is temporarily hosted in this repository, generating this access denied in the logs.

This can be managed from the console in Administration/Overview/Security/administrative users, and within the properties of the user, by selecting Security Scopes, we add in the desired security role the limiting collection explicitly.

I hope this helps you.

Leave a comment