On my “RBA Role Based Administration different Scenarios” at the Config Manager Community Day in Switzerland I show a Script to generate some stuff for the RBA.
Here are the Link to the Session Slides: http://static.news.digicomp.ch/1403082751/rba-role-based-administration-verschiedene-szenarien_mirko-colemberg.pdf
In this Script just some examples to use:
- – Load the CM Module
- – Create Device Collection Folder
- – Create Device Collections
- – Create User Collection Folders
- – Create User Collections
- – Create Application Folders
- – Create Package Folders
- – Create Security Scopes
- The Merge between Scopes, Collection and UserGroups CMD-let are not working for UserGroups from AD it’s only Working for Users at this time.
Add-CMSecurityRoleToAdministrativeUser
Add-CMSecurityScopeToAdministrativeUser
From the RAB-Viewer exported Role.xml file you can use the Import-CMSecurityRole cmd-let
<# .SYNOPSIS Creates CM12 Folder, Collections, Scopes structur for a Test LAB .DESCRIPTION This script creates CM12 Collection Folders with collections and Folders in Applications and Packages All for Developer, QA and Production There are some manual steps requiered to finish a LAB. .NOTES File Name : RBA_Basic_folder.ps1 Author : Mirko Colemberg - mirko@colemberg.ch Requires : PowerShell V2 CM12 CMD-lets .LINK #> #Set Sitecode for this Script $SiteCode = "S01" Install-WindowsFeature RSAT-ADDS #Load the CM12 Module C: cd \ cd ‘.\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin’ Import-Module .\ConfigurationManager.psd1 $SiteCode = Get-PSDrive -PSProvider CMSITE Set-Location "$($SiteCode.Name):\" #Set Variables $DDeveloper = "Developer Devices CMCE" $UDeveloper = "Developer Users CMCE" $DQA = "QA Devices CMCE" $UQA = "QA Users CMCE" $DProduction = "Production Devices CMCE" $UProduction = "Production Users CMCE" $DomainOUPath1 = "ADATUM\" #Create Device Collection Folder cd\ Set-Location .\DeviceCollection New-Item “SWD CMCE” cd '.\SWD CMCE' New-Item “Developer CMCE” New-Item “QA CMCE” New-Item “Production CMCE” #Create Device Collections $NewDDeveloper = New-CMDeviceCollection -Name "$DDeveloper" -LimitingCollectionName "All Systems"; #CollectionType = 2; RefreshType = 4 Add-CMDeviceCollectionQueryMembershipRule -CollectionName $DDeveloper -RuleName $DDeveloper -QueryExpression ('select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Location = "' + $DDeveloper + '"') $NewDQA = New-CMDeviceCollection -Name "$DQA" -LimitingCollectionName "All Systems"; #CollectionType = 2; RefreshType = 4 Add-CMDeviceCollectionQueryMembershipRule -CollectionName $DQA -RuleName $DQA -QueryExpression ('select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Location = "' + $DQA + '"') $NewDProduction = New-CMDeviceCollection -Name "$DProduction" -LimitingCollectionName "All Systems"; #CollectionType = 2; RefreshType = 4 Add-CMDeviceCollectionQueryMembershipRule -CollectionName $DProduction -RuleName $DProduction -QueryExpression ('select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Location = "' + $DProduction + '"') #Move Device Collections cd\ Move-CMObject -FolderPath ".\DeviceCollection\SWD CMCE\Developer CMCE" -InputObject $NewDDeveloper cd\ Move-CMObject -FolderPath ".\DeviceCollection\SWD CMCE\QA CMCE" -InputObject $NewDQA cd\ Move-CMObject -FolderPath ".\DeviceCollection\SWD CMCE\Production CMCE" -InputObject $NewDProduction #Create User Collection Folders cd\ Set-Location .\UserCollection New-Item "SWD CMCE" cd '.\SWD CMCE' New-Item “Developer CMCE” New-Item “QA CMCE” New-Item “Production CMCE” #Create User Collections $NewUDeveloper = New-CMuserCollection -Name "$UDeveloper" -LimitingCollectionName "All Users"; Add-CMUserCollectionQueryMembershipRule -CollectionName $UDeveloper -RuleName $UDeveloper -QueryExpression ('select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = "ADATUM\\Developer Users"') $NewUQA = New-CMuserCollection -Name "$UQA" -LimitingCollectionName "All Users"; Add-CMUserCollectionQueryMembershipRule -CollectionName $UQA -RuleName $UQA -QueryExpression ('select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = "ADATUM\\QA Users"') $NewUProduction = New-CMuserCollection -Name "$UProduction" -LimitingCollectionName "All Users"; Add-CMUserCollectionQueryMembershipRule -CollectionName $UProduction -RuleName $UProduction -QueryExpression ('select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = "ADATUM\\Production Users"') #Move User Collections cd\ Move-CMObject -FolderPath ".\UserCollection\SWD CMCE\Developer CMCE" -InputObject $NewUDeveloper cd\ Move-CMObject -FolderPath ".\UserCollection\SWD CMCE\QA CMCE" -InputObject $NewUQA cd\ Move-CMObject -FolderPath ".\UserCollection\SWD CMCE\Production CMCE" -InputObject $NewUProduction #Create Application Folders cd\ Set-Location .\Application New-Item “Developer CMCE” New-Item “QA CMCE” New-Item “Production CMCE” #Create Package Folders cd\ Set-Location .\Package New-Item “Developer CMCE” New-Item “QA CMCE” New-Item “Production CMCE” #Create Security Scopes New-CMSecurityScope -name "Developer CMCE" New-CMSecurityScope -name "QA CMCE" New-CMSecurityScope -name "Production CMCE"
- The Script is “as is” test it first in your Lab, before us in Production!
- Hope it Helps
- Mirko
Leave a Reply