Hi guys We have SCCM in our environment and it is used for all desktop deployments....no servers is deployed with SCCM. Can SCCM be configured in a way that if i'm asked to deploy servers that the people who deploy desktops cannot see, change or configure anything whatsoever that is related to what i do in deploying servers. In other words i want to use SCCM and deploy servers in our org. The other people who use SCCM to deploy desktops must not be able to do/view/change anything which is part of the Server side of things Is this possible with SCCM? Thanks for the help PS: Think we are using 2007

Yes it's possible by adding permissions to the servers and workstations collections. It requires a little planning, but it can be done.Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund

Hi kent Thank you for your prompt response You say it requires a little planning...do you mean before we install and setup our SCCM environment from scracth because it is allready in production and the guys that are deploying the desktops are allready working on it Can we still ADD and configure just the part relevant to the Windows Server portion?

You don't to plan it before the installation but as part of the collection planning and design.Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund

Sorry, if i ask dumb question but i'm not used to SCCM You mean the collection planning and design stage for the Server part. In other words....it is something that can be done while the SCCM Server is in production like it currently is?

Yes, you can rearrange security when the box is in production. You'll want to warn your existing users that you'll be limiting their rights, it may be disconcerting to them to have to "limit to another collection" for every collection they have. there is also a status filter rule-based script you may want to implement, so that collection security is correctly applied to new collections, once you start doing this. Tip: you may want to stand up a lab environment, even a VHD lab, to work out the rights and how you want it designed before modifying it in production, so you know exactly how to structure the collections, set the security, and see how the status filter rule works.Standardize. Simplify. Automate.

Thanks Sherry Guys what about this...Can this be done? (Something that just crossed my mind) Where you setup a second SCCM Server and do all your Server deployments from there or must everything be done from one SCCM Server? (Desktops and Clients)

Oh, you can, sure. lots of companies have a 2nd primary site simply for that reason. However, from your standpoint, you might then need three servers: one to be the central (so that you can see both servers and workstations), and 1 for servers, for the server team, and 1 for workstations, for the workstation team. So here's the question for you: is it worth the additional hardware, software, licensing costs (even if on a virtual servers)? Vs. spending a week or two figuring out the security on a lab / virtual environment server so you understand how it works, and than re-do the same rights on the existing production server? That's only a question you can answer: for us, we took the time. all management is done from the central server (even though we have multiple child primaries, no one actually connects to those consoles, we needed multiple because we have more than 100,000 clients). If we had less than 100,000 clients, we'd just have 1 primary site. Slightly OT: ConfigMgr 2012, currently in beta, does a much nicer job of segmenting rights and roles. If you haven't yet, you may want to grab a copy of Beta2, toss it in a lab, and see how the Role Based Access works there; so you can quickly move to CM12 when it's released.Standardize. Simplify. Automate.