SCCM 2012 "Super Admin" Deleted (Network Steve Forum)

SCCM 2012 "Super Admin" Deleted

So I'm hoping this is a rather simple solution, but I can't find anything online as it would appear most organizations do not do this. :)

I installed SCCM 2012 RTM for a customer around a year ago. I've now come back onsite to handle some other installations and figured I'd upgrade them to SP1 while I was onsite. They created a new account for me and gave me domain admin permissions and also "Full Administrator" permissions within the SCCM 2012 RTM environment. However, I'm running into a problem where certain things are not editable by even full administrators and seem to require the "super admin" that originally installed the product; which, in my case, is the account they deleted. Is there anyway to reset the administrator account within SCCM?

Thanks,

Ryan

May 29th, 2013 9:19pm

Full Administrator has permissions to everything within ConfigMgr; however, the initial admin account is the one that was used to install ConfigMgr and thus is also a sysadmin within the SQL Instance used and a local administrator on the site server as well as on the system hosting the SQL Instance. You are probably just missing the sysadmin piece.

Free Windows Admin Tool Kit Click here and download it now

May 29th, 2013 10:04pm

Made my user a sysadmin on the SQL Server logins side, also gave them membership to db_owner on the CM_ DB and sections such as the Hierarchy Settings -> Automatic Client Upgrade are grayed out for the user...

May 29th, 2013 10:17pm

Not sure if this is a bug or what, but you need to make the sure the account has "All Security Scopes" assigned to it: http://blog.coretech.dk/kea/automatic-client-upgrade-greyed-out/

Free Windows Admin Tool Kit Click here and download it now

May 29th, 2013 10:39pm

Not sure if this is a bug or what, but you need to make the sure the account has "All Security Scopes" assigned to it: http://blog.coretech.dk/kea/automatic-client-upgrade-greye

May 30th, 2013 2:11pm

My solution in not supported by Microsoft, because you need change your site DB, but it is work. Use it on own risk.

1) Go to SQL Management Studio, connect to site server and run code

use CM_%Site_Code%
select AdminID,AdminSID,LogonName,DisplayName from RBAC_Admins

%Site_Code% - your organization site code.

Find a line with your Old_Admin account and remember AdminID.

2) Get SID of New_Admin account in hex (for example from adsiedit utility in domain, like this 0x010500000000000515000000B92ACD62A473F62D825A8A49EA0D0100)

3) Go to SQL Management Studio and run code

use CM_%Site_Code%
update RBAC_Admins
set AdminSID='0x010500000000000515000000B92ACD62A473F62D825A8A49EA0D0100'
where AdminID=%Old_Admin_AdminID%

4) Connect to SCCM admin console with New_Admin account.

5) In administration pane add New_Admin account and assign Full Administrator role, All Security Scope, All Collection. Re-run console.

Edited by sterh2004 Friday, May 31, 2013 10:53 AM

Free Windows Admin Tool Kit Click here and download it now

May 31st, 2013 10:46am

Very cool -- thank you.

However, I think we need to convert the SID into a binary value to store it in the table, right?

use CM_XXX
select AdminID,AdminSID,LogonName,DisplayName from RBAC_Admins

update RBAC_Admins
set AdminSID='0x010500000000000515000000F094C85F9A7CD636XXXX3234200000'
where AdminID='16777217'

That gives me back:

Msg 257, Level 16, State 3, Line 1
Implicit conversion from data type varchar to varbinary is not allowed. Use the CONVERT function to run this query.

I've tried moving the quotes / double quotes around and can't get it to work... When I edit the table it tells me this filed is binary data.

May 31st, 2013 5:21pm

Should also clarify -- i only ran the lines after update RBAC_Admins when I got that error, hence the Line 1 message.

Free Windows Admin Tool Kit Click here and download it now

May 31st, 2013 5:39pm

Hi, Ryan.

Don't use CM_XXX, instead XXX should be your SITE_CODE

I take screenshots for you:

My SITE_CODE is CAS, red border is AdminID column, green border is my Full Administrator line. AdminID = 18.

Use AdminID value without quotes or double quotes, because AdminID is an integer.

AdminSID must include new admin SID.

Hope i help you.

June 3rd, 2013 7:40am

Hi Sterh,

Thank you for the reply -- let me know if I'm doing something wrong... I had replaced the XXX with my site code, just removed for the web. I'll place it as "CAS" in the below:

use CM_CAS update RBAC_Admins

set AdminSID='0x010500000000000515000000F094C85F9A7CD63643170A3234200000' where AdminID=16777217

I get the below:

Msg 257, Level 16, State 3, Line 1
Implicit conversion from data type varchar to varbinary is not allowed. Use the CONVERT function to run this query.

Edited by Ryan J. HoltMicrosoft employee Thursday, June 06, 2013 7:40 PM

Free Windows Admin Tool Kit Click here and download it now

June 6th, 2013 5:00pm

Hi, Ryan.

Copy code below and try again:

use CM_CAS
update dbo.RBAC_Admins
set AdminSID='0x010500000000000515000000F094C85F9A7CD63643170A3234200000'
where AdminID=16777217

May you post screenshot for this code?

use CM_CAS
select AdminID,AdminSID,LogonName,DisplayName from dbo.RBAC_Admins

June 7th, 2013 9:18am

16777217 0x010500000000000515000000738159A249207D3EFFE1B967220E0000 ****\sccm-sms sccm-sms

Same issue. Account deleted. Was the only one in SCCM (unfortunately).

Sad thing I never really did any SQL "code"

Any ideas?

Free Windows Admin Tool Kit Click here and download it now

October 8th, 2013 2:48pm

mkay, after googling for a while I figured that I have to do it like this:

use CM_CAS
update dbo.RBAC_Admins
set AdminSID=0x010500000000000515000000F094C85F9A7CD63643170A3234200000
where AdminID=16777217

so, _without_ apostrophes in AdminSID value.

Proposed as answer by pelleswe 21 hours 37 minutes ago

October 9th, 2013 8:35am

mkay, after googling for a while I figured that I have to do it like this:

use CM_CAS
update dbo.RBAC_Admins
set AdminSID=0x010500000000000515000000F094C85F9A7CD63643170A3234200000
where AdminID=16777217

so, _without_ apostrophes in AdminSID value.

Proposed as answer by pelleswe Sunday, September 06, 2015 10:05 AM

Free Windows Admin Tool Kit Click here and download it now

October 9th, 2013 8:35am

Hate to bring life to an 2 year old post, but just got to say that this saved my ass! Old admin long gone and so was his ad account.

This following link might help for some (but not for me): http://blog.coretech.dk/kea/automatic-client-upgrade-greyed-out

September 6th, 2015 6:01am

This topic is archived. No further replies will be accepted.