getting Security Scopes of SCCM folder

since version 1906 SCCM supports role-based access control (RBAC) for folders. This can be configured trough the SCCM console or (recommended) PowerShell.

unfortunattely the current version of the commandlet Get-CMObjectSecurityScope doesn’t support any folder as InputObject. so, if you want to know, which Security Scope is allowed to see a folder, you have to use this:

$PathName = 'LAB:\DeviceCollection\FolderName\SubFolder' 
$Folder = Get-Item $PathName 
Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$( $SiteCode )" -Query "SELECT * FROM SMS_SecuredCategoryMembership WHERE ObjectKey = '$( $Folder.ContainerNodeID )'" | ForEach-Object { Get-CMSecurityScope -Id $_.CategoryID }

$PathName = 'LAB:\DeviceCollection\FolderName\SubFolder'

$Folder = Get-Item $PathName

Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$( $SiteCode )" -Query "SELECT * FROM SMS_SecuredCategoryMembership WHERE ObjectKey = '$( $Folder.ContainerNodeID )'" | ForEach-Object { Get-CMSecurityScope -Id $_.CategoryID }

to add or remove any SecurityScopes to a Folder, you can use this build-in commandlets:

Add-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName
Remove-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName

1 2	Add-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName Remove-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName

Share this:

Leave a Reply Cancel reply