1

Greeting Everyone,

Hoping someone has a quick insight but I am getting access denied on a service account using the PowerShell command Remove-CMDevice. This process is as per outlined here, https://technet.microsoft.com/en-us/library/jj821759(v=sc.20).aspx

The account has permission to remove devices from SCCM and this works fine through the GUI but not the command line. I have been unable to find documentation on what permissions the account need to do this via command line, it works fine manually in the GUI.

If anyone can shed light on this it will be wonderful, I do want to keep this service account as having as minimal permissions as possible.

Many thanks,

Edit to Add Image as follows, PowerShell Output from SCCM Console

jaradsc
  • 80
  • 11
  • I would like to see the error returned from PowerShell console. The permission is the RBA permission. As you can use this account to remove from console, the RBA permission should be OK. Keep in mind, the account is not a 'service account', just a normal admin account. – Bifeng Dong - MSFT Oct 31 '16 at 02:38
  • Hi FrankDong, I have edited the above to add image of this output. Thanks. Keeping in mind this works fine from GUI, just not PoSh – jaradsc Nov 01 '16 at 09:30
  • The error message clearly show that it's permission related, the account running and connecting to PowerShell for Configuration Manager console needs to have RBA permission on the mentioned device. If it's OK to do it via Admin console, then there must be something corrupted and what I suggest is to delete the admin account from Console and then re-add it. Please backup related security role permission and re-create it. – Bifeng Dong - MSFT Nov 01 '16 at 09:55

1 Answers1

2

After a lot of testing, I'm here with an answer on the Permission part when using PowerShell console to remove CM system object. Of course the symptom is the same: The account can delete from Admin console, however, when using PowerShell, it failed with Permission error message.

The account to perform the Remove-CMDevice cmdlet must have proper RBA Permission on the object. Assume the security scope is default one, the account connected to Configuration Manager console must have below RBA permission which I tested is almost minimal permission:
enter image description here

In the screenshot the Collection part, the permission is easy to understand, Read, Delete Resource, etc.

For the Computer Association part, you may get confused, why?

Steps I did the troubleshooting:

I opened a PowerShell Console connecting to Configuration Manager using my test account and run below command to see what will happen: 

Remove-CMDevice 'Rsuraceccc' -Verbose

I got below error:
enter image description here

Yes, it's trying to querying from the SMS_StateMigration. Then I try to run a simple command: 

Get-WMIObject -NameSpace root\sms\site_clt -Query 'Select * from SMS_StateMigration'

Once again, I got error. So I get the conclusion that the account needs Permission on SMS_StateMigration. So I add 'Recover User State' permission of Computer Association on the role and tried again, cheers, this time all command runs successfully.

I don't know why it's using SMS_StateMigration, but this is the case here.

Bifeng Dong - MSFT
  • 398
  • 2
  • 6
  • Thanks FrankDong, with some testing this is now working based on your solution. I had to add the permission 'SITE \ Read' to be able to use the scriptblock sent to SCCM server but this is otherwise 100%. Many thanks for your assistance and work on this, have a great day – jaradsc Nov 02 '16 at 21:25
  • 1
    I'm happy it helped you:) – Bifeng Dong - MSFT Nov 03 '16 at 01:34