In this post we will take a look at the minimum permissions required to push SCCM client agent. Few days ago, I got an email asking about the minimum permissions that are required to allow an user to push the Configuration Manager client agent. We know that there are different methods to install or deploy the System Center 2012 Configuration Manager client software on devices in an enterprise. There is a separate post that I wrote on Configuration Manager 2012 R2 Client Installation methods. I assume that you have configured the network access account. The account that you use as network access account must have the permissions to install the client software, in other words the user account should have the local admin rights on the machine.
Before we move ahead, let me tell you what are we going to do here. A user named Jason is a part of Remote Tools Operator security role. He currently has permissions to remote control, remote assistance and remote desktop. Now this user needs the permissions push the client agent to computers. We will use RBAViewer tool (a part of Configuration Manager toolkit) and analyze the permissions by selecting the security role. Instead of modifying the existing security role (as this is a built-in role), we will use Remote Tools Operator security role as a template for our custom role for Client Push. If you want to know about the permissions set for each security role and wish to customize them, RBAViewer tool is a good choice. Note that permissions will be delegated using Role-Based Administration.
Info – Remote Tools Operator group grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users associated with this role can run Remote Control, Remote Assistance, and Remote Desktop from the ConfigMgr console. In addition, they can run the out of band management console and AMT power control options.
Minimum Permissions required to push SCCM client agent
The below screenshot shows that user Jason is part of Remote Tools Operator security role.
In the below screenshot, I am accessing the ConfigMgr console using the user Jason’s account. If you notice there is no option to install client agent.
We will make use of a tool called RBAViewer that is installed when you install the configuration manager toolkit. After you install the toolkit, locate the RBAViewer tool, right click on the RBAViewer tool and click Open.
In the RBAViewer window, click on Security Roles and select Remote Tools Operator. At the bottom, click on Analyze.
When you click on Analyze, expand the Collection and you notice that Remote Tools Operator role has the following permissions setup by default:
Collection
Read
Remote Control
Resource
Control AMT
To check if this role has permissions to install the client, click the AdminConsole tab, click on Devices, in the middle pane click on any device. In the Query Actions click on Device. In the right pane you see that Install Client option is greyed out. This means a user who is a part of Remote Tool Operators role does not have permissions to install client agent.
In the next step we choose Modify Resource and click on Analyze.
Now we see that Install Client option is available in the RBAViewer. This is cool.
Now that we know that Modify Resource permission will allow user to do a client push, right click on the Remote Tools Operator security role and click Copy. Provide a name to this custom security role. Ensure Modify Resource is set to Yes. Click OK.
Now I will add user Jason to this new security role. Click OK.
On the machine where user is logged in, launch the ConfigMgr console, right click on any device and the Install Client option should be available for user.
This is a wonderful article. I followed it and was able to give helpdesk guy access to push the client but when he tries to push he is unable to see anything in the dropdown site under the option : install the client software from a specified site. Do i need to give him some more permissions.
Hello, This tip is really very useful… I have a question : I would like to have ‘Install client’ but not ‘Block’ because this is attached to ‘Modify resource’ as well. Is it possible ? I am afraid that a few users block the client communication… Thank for your reply.
Regarding this part of the article: “The account that you use as network access account must have the permissions to install the client software, in other words the user account should have the local admin rights on the machine.”
See the following from Technet:
“The Network Access Account is never used as the security context to run programs, install software updates, or run task sequences; only for accessing resources on the network.”
https://technet.microsoft.com/en-us/library/hh427337.aspx
rushaoz November 17, 2016 at 1:19 am
I can’t right click on the remote security tools operator and copy it. Either that or I’m not right clicking in the right place?
You need to open SCCM and go to “Admin -> Security -> Security Roles. The instructions got confusing at that point but that worked for me
Hi Prajwal. Regards from Spain. Do you thing that It’s normal that the options to install the client or to connect by RDP from a query result will be grayed out? Which could be the reason for that?
Thanks.
I can’t right click on the remote security tools operator and copy it. Either that or I’m not right clicking in the right place?