In this post we will take a look at the minimum permissions required to push SCCM client agent. Few days ago, I got an email asking about the minimum permissions that are required to allow an user to push the Configuration Manager client agent. We know that there are different methods to install or deploy the System Center 2012 Configuration Manager client software on devices in an enterprise. There is a separate post that I wrote on Configuration Manager 2012 R2 Client Installation methods. I assume that you have configured the network access account. The account that you use as network access account must have the permissions to install the client software, in other words the user account should have the local admin rights on the machine.
Before we move ahead, let me tell you what are we going to do here. A user named Jason is a part of Remote Tools Operator security role. He currently has permissions to remote control, remote assistance and remote desktop. Now this user needs the permissions push the client agent to computers. We will use RBAViewer tool (a part of Configuration Manager toolkit) and analyze the permissions by selecting the security role. Instead of modifying the existing security role (as this is a built-in role), we will use Remote Tools Operator security role as a template for our custom role for Client Push. If you want to know about the permissions set for each security role and wish to customize them, RBAViewer tool is a good choice. Note that permissions will be delegated using Role-Based Administration.
Info – Remote Tools Operator group grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users associated with this role can run Remote Control, Remote Assistance, and Remote Desktop from the ConfigMgr console. In addition, they can run the out of band management console and AMT power control options.
Minimum Permissions required to push SCCM client agent
The below screenshot shows that user Jason is part of Remote Tools Operator security role.
In the below screenshot, I am accessing the ConfigMgr console using the user Jason’s account. If you notice there is no option to install client agent.
We will make use of a tool called RBAViewer that is installed when you install the configuration manager toolkit. After you install the toolkit, locate the RBAViewer tool, right click on the RBAViewer tool and click Open.
In the RBAViewer window, click on Security Roles and select Remote Tools Operator. At the bottom, click on Analyze.
When you click on Analyze, expand the Collection and you notice that Remote Tools Operator role has the following permissions setup by default:
To check if this role has permissions to install the client, click the AdminConsole tab, click on Devices, in the middle pane click on any device. In the Query Actions click on Device. In the right pane you see that Install Client option is greyed out. This means a user who is a part of Remote Tool Operators role does not have permissions to install client agent.
Now we see that Install Client option is available in the RBAViewer. This is cool.
Now that we know that Modify Resource permission will allow user to do a client push, right click on the Remote Tools Operator security role and click Copy. Provide a name to this custom security role. Ensure Modify Resource is set to Yes. Click OK.
Now I will add user Jason to this new security role. Click OK.
On the machine where user is logged in, launch the ConfigMgr console, right click on any device and the Install Client option should be available for user.