“Role-ing” with Role-Based Administration (RBA)

Role-Based Administration (RBA) is a great feature in Configuration Manager 2012 and above. What’s the whole purpose of RBA? Simple, delegated administration. RBA allows administrators to delegate specific roles to other administrators.

I will use the Remote Tools client setting and Remote Tools Operator role as a demonstration.

First, I need to create a user, or preferably a group, in Active Directory. This user or group needs to be added to the local administrator’s group of the targeted system(s) manually or through a GPO.

Once that is done, in the Configuration Manager console, I need to create a standalone client setting for Remote Tools.

Role-ing with RBA-Create Custom Client Device Settings

To do this, in the Administration workspace, in the Client Settings node, open Create Custom Client Device Settings from the ribbon.

Role-ing with RBA-Custom Device Settings

Give the settings a name and check off Remote Tools. Click OK.

Role-ing with RBA-Remote Settings

Open the newly created settings. Select Remote Tools. On the Remote Tools page, click Configure…

Role-ing with RBA-Remote Control

Click Enable Remote Control on client computers and then choose your profile. In this example I chose Domain. Select OK.

Role-ing with RBA-Set Viewers

Next, click Set Viewers…

Role-ing with RBA-Configure Client Setting

Now, click on the star Role-ing with RBA-Star Buttonbutton.

Role-ing with RBA-New Permitted Viewer

Select Browse…

Select User

Enter the user or group you are using for the viewers. I am using the CTO Remote Group. Click OK.

Role-ing with RBA-New Permitted Viewer-OK

Next, click OK.

Configure Client Setting-OK

Again, click OK.

Now any member of the CTO Remote Group AD group, in my case, is permitted to perform remote tasks such as Remote Assistance, or Remote Control of another user’s system.

Now let’s restrict this group from interacting with anything else other than performing remote tasks. In this case, I have to configure the administrative users.

RBA is controlled from the Security Roles and Security Scopes nodes. See the screenshot below. This is found in the Administration workspace under the Security node. Right-click Administrative Users and select Add User or Group.

Role-ing with RBA-Administrative Users-Add User or Group

Once again, I use the CTO Remote Group in this example. I assign them the Remote Tools Operator role, but this time I set the scope to: Only the instances of objects that are assigned to the specified security scopes or collections. I then add the CTO collection which only contains workstations.

Add User or Group

RBA now takes effect when a user that is part of the CTO Remote Group logs into the Configuration Manager console. The user is restricted to only performing remote actions to the assigned collections. They are not allowed to perform any other actions outside their security role and scope.

Leave a Comment

Share via
Copy link