Hi We are looking for some input and assistance on assigning rights and security to an SCCM implementation that we are busy with. We have a shared SCCM deployed in an organization that spans multiple departments. Another department is going to be rolled out but they desire complete autonomy. This new department is largely located in one site although there are a few clients that reside on sites that are already under the management of the current SCCM infrastructure. There are definite limitations to what can be done with SCCM delegation and there are obvious risks in having multiple administrators from different departments possibly affecting machines they are not supposed to be managing. What I'm thinking about as a solution to this is: Deploy a new primary site server for the new department and assign boundaries for the site that contains the majority of their users. For the few clients that reside in sites that are already managed by SCCM, I'd like to manually assign the site code of the new primary server in step 1 Configure the new primary server from step 1 to report in to the central SCCM server so that the company can report on all resources (business requirement) The benefits of this from my perspective are: The department can have full control to an SCCM site and manage all their clients. They can target all system resources if they want to without putting the rest of the company at risk I know there is manual intervention in manually assigning the site code for clients in step 2 above but it probably outwieghs the administrative overhead the comes from a shared security model on the central SCCM server. One thing I'm not entirely sure of but suspect it will work is this: Clients in step 2 above, while manually assigned to a site other than what the SLP would issue, when software distribution takes place, will they copy their content from the local distribution points or from their primary server? Any comments would be most welcome.

Hey guys, I am in a similar situation as Adrian. I have a central site (SCCM Site 1) and a few primary child sites (SCCM Site 2 & 3). The reason we have primary child sites is mainly for delegation of administration reasons. Our organization has IT staff at every branch office (approx 600 users at each) and they are responsible for local IT stuff. Each branch office is able to push out their own software packages as they see fit. They act as separate entities so each child site only needs to "talk" to the central site and not each other. The SCCM infrastructure is managed by me in the central site. I have the primary child sites defined by AD site boundaries, however, I've run into a HUGE problem and my managers want me to find a way around it. I don't see a solution so I'm looking for some insight. The issue is, I have some AD Sites and even IP subnets that overlap administration boundaries. For example, one of the branch office buildings has 3 different entities on the same floor, therefore are supported by three different IT groups. Yes, overkill but we are a very large and very political organization! In this case they are all on the same IP subnet and all in the same AD site (AD infrastructure is supported by the central office) so when I define a boundary in SCCM Site 2 to equal AD Site A there is no way for AD Site A to also be defined in SCCM Site 3. I'm not concerned about SCCM Site 2 pushing software out to SCCM Site 3 clients because we are pushing the SCCM client via GPO and are forcing the SCCM site code. But, what I AM concerned about is how will SCCM Site 3 see the PC's they manage if I can't define AD Site A again? Please let me know your thoughts, solutions, suggestions. Thanks!