4/13/2011

vbScript - set permissons on ConfigMgr Objects in bulk

This little vbscript loops throught the file SetPermissons.txt and creates all class and instance permissons for your ConfigMgr Objects which are defined

File Structure must be:
1st postition: Object Level (Possible Values: Class(C) or Instance (I))
2nd postition: Object Type (COLLECTION, ADVERTISEMENT, PACKAGE, ...)
3rd postition: Object Name (If Object Level is Class, the Name is not used. Best value in this case is "N/A")
4th postition: Username (Format: domain\username)
5th postition: Permissons (Format: Permisson1&Permisson2&...) - For all Permissons on an Object use keyword "FULL". Check the lower part of the vbScript for detailed information. Also note that the permissons have to make sense. So please first check the available permissons for each object in your ConfigMgr Console

# are and blank lines are ignored
# are available for comments

The SetPermissons.txt file should look like this:

###########################################################################
############################### EXAMPLES ##################################
###########################################################################
### I;COLLECTION;All Systems;mydomain\myuser;READ&MODIFY&READ_RESOURCE
### I;COLLECTION;All Systems;mydomain\myuser2;READ&ADVERTISE&DELETE_RESOURCE
### I;PACKAGE;Adobe_Reader;mydomain\myuser2;DISTRIBUTE
### I;PACKAGE;Adobe_Reader;mydomain\myuser;MODIFY&DISTRIBUTE
### I;ADVERTISEMENT;Install_Adobe_Reader;mydomain\myuse;FULL
### C;SITE;N/A;mydomain\myuser;FULL
### C;TASKSEQUENCE;N/A;mydomain\myuser2;READ&MODIFY
###########################################################################
###########################################################################
###########################################################################

#Set Collections Permissons
I;Collection;MyCollectionABC;mydomain\BillGates;READ&MODIFY&READ_RESOURCE
I;Collection;MyCollectionXYZ;mydomain\SteveBallmer;READ&ADVERTISE&DELETE_RESOURCE

#Set Package Permissons
I;PACKAGE;Adobe_Reader;mydomain\BillGates;DISTRIBUTE
I;PACKAGE;Adobe_Reader;mydomain\SteveBallmer;READ&DISTRIBUTE
I;PACKAGE;Adobe_Reader;mydomain\ElvisPresley;READ&MODIFY&DISTRIBUTE

#Set Advertisement Permissons
I;Advertisement;Repair_Java;mydomain\SteveBallmer;READ

#Set Permissons for the new HelpDesk Employee
I;COLLECTION;MyCollection;mydomain\johnwayne;READ
I;COLLECTION;HisCollection;mydomain\johnwayne;READ&MODFIY
I;Advertisement;Uninstall_7ZIP;mydomain\johnwayne;READ&DELETE
C;COLLECTION;N/A;mydomain\johnwayne;READ
C;SITE;N/A;mydomain\johnwayne;READ&IMPORTMACHINE

#Set Permissons for the Group OSD Admins
C;OSINSTALLPACKAGE;N/A;mydomain\OSDAdmins;FULL
C;COMPUTERASSOCIATION;N/A;mydomain\OSDAdmins;READ&DELETE&ADMINISTER&CREATE
C;OSIMAGE;N/A;mydomain\OSDAdmins;FULL
C;TASKSEQUENCE;N/A;mydomain\OSDAdmins;FULL
C;DRIVERPACKAGE;N/A;mydomain\OSDAdmins;FULL
C;DEVICEDRIVER;N/A;mydomain\OSDAdmins;FULL


The vbScript is the below code - Have fun ;)
Note: There's not build in a lot of error handling, so please first test it carefully


'************************************************************************************************************
' Jonas Hettich
'************************************************************************************************************
'
' Ver 1.00 - 13.04.2011 - initial version
'
' What this script does:
' This Scripts creates the Permissons defined in the file SetPermissons.txt
'
' Not Supported: Instace Rights for Drivers, Asset Intelligence
'************************************************************************************************************

result = MsgBox("Do you really want to create the Collection Permissons?", vbYesNo)
If result = vbNo Then WScript.Quit

Dim strChoosenPermissons
Dim strSiteServer : strSiteServer = ""
Dim strSitecode : strSitecode = ""
Dim objSWbemLocator : Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Dim objSWbemServices : Set objSWbemServices = objSWbemLocator.ConnectServer(strSiteServer,"root/sms/site_" & strSitecode)

Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objFile : Set objFile = objFSO.OpenTextFile("SetPermissons.txt")
Dim strCurrentLine
Dim strObjectsType, strObjectName, strUser, strPermissons, strObjectEnv

'Loop the Source File
Do While not objFile.AtEndOfStream
strCurrentLine = objFile.ReadLine

'Skip Comment and Blank lines
If strCurrentLine <> "" Then
If Not Left(strCurrentLine,1) = "#" Then

'Parse the information
strObjectEnv = Ucase(Split(strCurrentLine,";")(0))
strObjectsType = Ucase(Split(strCurrentLine,";")(1))
strObjectName = Ucase(Split(strCurrentLine,";")(2))
strUser = Ucase(Split(strCurrentLine,";")(3))
strPermissons = Ucase(Split(strCurrentLine,";")(4))

Call SetInstanceRights(strObjectEnv,strObjectsType, strObjectName, strUser, strPermissons)

'Reset the Permissons for the next action
strChoosenPermissons = 0

End If
End If


Loop

Function NameToID(strObjectType,strObjectName)
Dim colResuls, objResult

Select Case (strObjectType)
Case("COLLECTION")

Set colResults = objSWbemServices.ExecQuery ("select * from SMS_Collection where Name='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.CollectionID
Next

Case("PACKAGE")

Set colResults = objSWbemServices.ExecQuery ("select * from SMS_Package where Name='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.PackageID
Next

Case ("ADVERTISEMENT")

Set colResults = objSWbemServices.ExecQuery ("select * from SMS_Advertisement where AdvertisementName='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.AdvertisementID
Next

Case ("TASKSEQUENCE")

Set colResults = objSWbemServices.ExecQuery ("Select * from SMS_TaskSequencePackage where Name='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.PackageID
Next

Case ("OSINSTALLPACKAGE")

Set colResults = objSWbemServices.ExecQuery ("Select * from SMS_OperatingSystemInstallPackage where Name='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.PackageID
Next

Case ("OSIMAGE")

Set colResults = objSWbemServices.ExecQuery ("Select * from SMS_ImagePackage where Name='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.PackageID
Next

Case ("BOOTIMAGE")

Set colResults = objSWbemServices.ExecQuery ("Select * from SMS_BootImagePackage where Name='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.PackageID
Next

Case ("DRIVERPACKAGE")

Set colResults = objSWbemServices.ExecQuery ("Select * from SMS_DriverPackage where Name='" & strObjectName & "'")
For Each objResult In colResults
NameToID = objResult.PackageID
Next
Case Else
Log "Error: Objecttype not supported"
Exit Function
End Select

End Function

Function SetInstanceRights(ObjectEnv, ObjectType, ObjectName, User, Permissons)
Dim arrPermissons, strPermisson
Dim strObjectID
Dim objUserPermissions

'Choose between Class and Instance Permissons
If ObjectEnv = "I" Then
Set objUserPermissions = objSWbemServices.Get("SMS_UserInstancePermissions")
Log vbNewLine &"*** Configure Instance Permissons ***"
ElseIf ObjectEnv = "C" Then
Set objUserPermissions = objSWbemServices.Get("SMS_UserClassPermissions")
Log vbNewLine &"*** Configure Class Permissons ***"
Else
Log "Error: Object Environment not available. Must be Class(C) or Instance(I)"
WScript.Quit
End If


'Create UserInstancePermissonsObject
Set objNewUserPermissions = objUserPermissions.SpawnInstance_

'Set the Objecttype
Select Case (ObjectType)
Case "COLLECTION"
objNewUserPermissions.ObjectKey = 1
Case "PACKAGE"
objNewUserPermissions.ObjectKey = 2
Case "ADVERTISEMENT"
objNewUserPermissions.ObjectKey = 3
Case "STATUSMESSAGE"
objNewUserPermissions.ObjectKey = 4
Case "SITE"
objNewUserPermissions.ObjectKey = 6
Case "QUERY"
objNewUserPermissions.ObjectKey = 7
Case "REPORT"
objNewUserPermissions.ObjectKey = 8
Case "SOFTWAREMETERINGRULE"
objNewUserPermissions.ObjectKey = 9
Case "APPLICABLEUPDATESSUMMARY"
objNewUserPermissions.ObjectKey = 10
Case "CONFIGURATIONITEMS"
objNewUserPermissions.ObjectKey = 11
Case "OSINSTALLPACKAGE"
objNewUserPermissions.ObjectKey = 14
Case "DEPLOYMENTTEMPLATE"
objNewUserPermissions.ObjectKey = 15
Case "DEPLOYMENT"
objNewUserPermissions.ObjectKey = 16
Case "COMPUTERASSOCIATION"
objNewUserPermissions.ObjectKey = 17
Case "OSIMAGE"
objNewUserPermissions.ObjectKey = 18
Case "BOOTIMAGE"
objNewUserPermissions.ObjectKey = 19
Case "TASKSEQUENCE"
objNewUserPermissions.ObjectKey = 20
Case "DEVICESETTINGPACKAGE"
objNewUserPermissions.ObjectKey = 21
Case "DEVICESETTINGITEM"
objNewUserPermissions.ObjectKey = 22
Case "DRIVERPACKAGE"
objNewUserPermissions.ObjectKey = 23
Case "DEPLYOMENTPACKAGE"
objNewUserPermissions.ObjectKey = 24
Case "DEVICEDRIVER"
objNewUserPermissions.ObjectKey = 25
Case Else
Log "Error: Objecttype not supported"
Exit Function
End Select


'Set the Object ID
If ObjectEnv = "I" Then
strObjectID = NameToID(ObjectType,ObjectName)
If strObjectID <> "" Then
objNewUserPermissions.InstanceKey = strObjectID
Else
Log "Error: " &ObjectType &" was not found: " &ObjectName
WScript.Quit
End If
End If

'Set the User or Group
objNewUserPermissions.UserName = User

'Set the Permissons
If Permissons = "FULL" Then
'Set Full Permissons String
Permissons = FullPermissons(ObjectType,ObjectEnv)
End If


arrPermissons = Split(Permissons,"&")
For Each strPermisson In arrPermissons

'Parse the Permissons
'http://msdn.microsoft.com/en-us/library/cc143194.aspx
Select Case UCASE(strPermisson)
Case "READ"
strChoosenPermissons = strChoosenPermissons + 1
Case "MODIFY"
strChoosenPermissons = strChoosenPermissons + 2
Case "DELETE"
strChoosenPermissons = strChoosenPermissons + 4
Case "DISTRIBUTE"
strChoosenPermissons = strChoosenPermissons + 8
Case "REMOTE_CONTROL"
strChoosenPermissons = strChoosenPermissons + 32
Case "ADVERTISE"
strChoosenPermissons = strChoosenPermissons + 64
Case "MODIFY_RESOURCE"
strChoosenPermissons = strChoosenPermissons + 128
Case "ADMINISTER"
strChoosenPermissons = strChoosenPermissons + 256
Case "DELETE_RESOURCE"
strChoosenPermissons = strChoosenPermissons + 512
Case "CREATE"
If ObjectEnv = "I" And ObjectType = "COLLECTION" Then
'Collection Instances do no have the permissons CREATE, ADMINISTER, DELEGATE
Log "ERROR: CREATE, ADMINISTER and DELEGATE permissons are not possible on Collection Instances"
Exit Function
Else
strChoosenPermissons = strChoosenPermissons + 1024
End If
Case "VIEWCOLLECTEDFILES"
strChoosenPermissons = strChoosenPermissons + 2048
Case "READ_RESOURCE"
strChoosenPermissons = strChoosenPermissons + 4096
Case "DELEGATE"
strChoosenPermissons = strChoosenPermissons + 8192
Case "METER"
strChoosenPermissons = strChoosenPermissons + 16384
Case "MANAGESQLCOMMAND"
strChoosenPermissons = strChoosenPermissons + 32768
Case "MANAGESTATUSFILTER"
strChoosenPermissons = strChoosenPermissons + 65536
Case "MANAGEFOLDERS"
strChoosenPermissons = strChoosenPermissons + 131072
Case "NETWORKACCESS"
strChoosenPermissons = strChoosenPermissons + 262144
Case "IMPORTMACHINE"
strChoosenPermissons = strChoosenPermissons + 524288
Case "CREATETASKSEQUENCEMEDIA"
strChoosenPermissons = strChoosenPermissons + 1048576
Case "MODIFYCOLLECTIONSETTING"
strChoosenPermissons = strChoosenPermissons + 2097152
Case "MANAGEOSDCERTIFICATE"
strChoosenPermissons = strChoosenPermissons + 4194304
Case "RECOVERUSERSTATE"
strChoosenPermissons = strChoosenPermissons + 8388608
Case "MANAGEMGMTCONROLLERS"
strChoosenPermissons = strChoosenPermissons + 16777216
Case "VIEWMGMTCONROLLERS"
strChoosenPermissons = strChoosenPermissons + 33554432
Case Else
Log "Error: Permissons not supported"
End Select

Next


If ObjectEnv = "I" Then
objNewUserPermissions.InstancePermissions = strChoosenPermissons
ElseIf ObjectEnv = "C" Then
objNewUserPermissions.ClassPermissions = strChoosenPermissons
End If


'Creating Permissons
On Error Resume Next
objNewUserPermissions.put_


If Err.Number = 0 Then
Log "Successfully set following permissons:"
Log vbTab &" - ObjectType: " &ObjectType
Log vbTab &" - ObjectName: " &ObjectName
Log vbTab &" - User: " &User
Log vbTab &" - Permissons: " &Permissons
Else
Log "Error (" &Err.Description &") when trying to create the object:"
Log vbTab &" - ObjectType: " &ObjectType
Log vbTab &" - ObjectName: " &ObjectName
Log vbTab &" - User: " &User
Log vbTab &" - Permissons: " &Permissons
End If


Set objNewUserPermissions = Nothing

End Function


Function FullPermissons(ObjectType,ObjectEnv)

Select Case (ObjectType)

Case "SITE"
FullPermissons = "IMPORTMACHINE&DELEGATE&ADMINISTER&CREATE&DELETE&READ&MODIFY&MANAGEOSDCERTIFICATE&MANAGESTATUSFILTER&MANAGESQLCOMMAND&METER"
Case "OSINSTALLPACKAGE"
FullPermissons = "READ&DISTRIBUTE&MODIFY&DELETE&ADMINISTER&CREATE&MANAGEFOLDERS&DELEGATE"
Case "OSIMAGE"
FullPermissons = "READ&DISTRIBUTE&MODIFY&DELETE&ADMINISTER&CREATE&MANAGEFOLDERS&DELEGATE"
Case "TASKSEQUENCE"
FullPermissons = "READ&CREATETASKSEQUENCEMEDIA&MODIFY&DELETE&ADMINISTER&CREATE&MANAGEFOLDERS&DELEGATE"
Case "DRIVERPACKAGE"
FullPermissons = "READ&DISTRIBUTE&MODIFY&DELETE&ADMINISTER&CREATE&MANAGEFOLDERS&DELEGATE"
Case "STATUSMESSAGE"
FullPermissons = "READ&DELETE&CREATE&ADMINISTER"
Case "QUERY"
FullPermissons ="READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "REPORT"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "SOFTWAREMETERINGRULE"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "APPLICABLEUPDATESSUMMARY"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE"
Case "CONFIGURATIONITEMS"
FullPermissons = "READ&MODIFY&DELETE&DISTRIBUTE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS&NETWORKACCESS"
Case "DEPLOYMENTTEMPLATE"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE"
Case "DEPLOYMENT"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE"
Case "DEVICESETTINGPACKAGE"
FullPermissons ="READ&MODIFY&DELETE&DISTRIBUTE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "DEVICESETTINGITEM"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE"
Case "DEPLYOMENTPACKAGE"
FullPermissons = "READ&MODIFY&DELETE&DISTRIBUTE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "COLLECTION"
If ObjectEnv = "C" Then
FullPermissons = "READ&MODIFY&DELETE&CREATE&REMOTE_CONTROL&ADVERTISE&MODIFY_RESOURCE&ADMINISTER&DELETE_RESOURCE&VIEWCOLLECTEDFILES&READ_RESOURCE&DELEGATE&MODIFYCOLLECTIONSETTING&MANAGEMGMTCONROLLERS&VIEWMGMTCONROLLERS"
ElseIf ObjectEnv = "I" Then
'Collection Instances do no have the permissons CREATE, ADMINISTER, DELEGATE
FullPermissons = "READ&MODIFY&DELETE&REMOTE_CONTROL&ADVERTISE&MODIFY_RESOURCE&DELETE_RESOURCE&VIEWCOLLECTEDFILES&READ_RESOURCE&MODIFYCOLLECTIONSETTING&MANAGEMGMTCONROLLERS&VIEWMGMTCONROLLERS"
End If
Case "PACKAGE"
FullPermissons = "READ&MODIFY&DELETE&DISTRIBUTE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "ADVERTISEMENT"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "DRIVERPACKAGE"
FullPermissons = "READ&MODIFY&DISTRIBUTE&DELETE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "COMPUTERASSOCIATION"
FullPermissons = "READ&DELETE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS&RECOVERUSERSTATE"
Case "DEVICEDRIVER"
FullPermissons = "READ&MODIFY&DELETE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case "BOOTIMAGE"
FullPermissons = "READ&MODIFY&DELETE&DISTRIBUTE&ADMINISTER&CREATE&DELEGATE&MANAGEFOLDERS"
Case Else
Log "Permissons not supported"
End Select

End Function

Function Log(strTextToLog)
WScript.Echo strTextToLog
Dim objFile, objLogFile, objLogFile2
Dim strFilenameWithoutExtension, intMaxFileSize, n
intMaxFileSize = 15 * 1024 * 1024 '15MB
'strip ".vbs" from the full path scriptname
strFilenameWithoutExtension= left(WScript.ScriptFullName,len(WScript.ScriptFullName)-4)
On Error Resume Next
n = -1
'we need to check the current logfile size 1st - open the current logfile
Set objFile = objFSO.getfile(strFilenameWithoutExtension & ".log")
'check if the the current logfile is bigger than the max file size
If objFile.Size > intMaxFileSize Then
'it's bigger - so open the backup log file
Set objLogFile2 = objFSO.getfile(strFilenameWithoutExtension & ".lo_")
'delete the backup file
objLogFile2.Delete
'rename the original file to "*.lo_"
objFile.name = left(objFile.name, len(objFile.name)-1) & "_"
'close the file
objFile.close
End If
Set objLogFile = objFSO.opentextfile(strFilenameWithoutExtension & ".log", 8, True)
'objLogFile.writeline Date & " - " & Time & " - """ & strTextToLog & """"
objLogFile.writeline Date & " - " & Time & " - " & " - """ & strTextToLog & """"
If len(strTextToLog) > 78 then strTextToLog = left(strTextToLog,76) & "..."
'Log strTextToLog
objLogFile.Close
Set objFile = Nothing
Set objFile2 = Nothing
Set oLogFile = Nothing
Set oFSOLog = Nothing
If Err Then Err.Clear
On Error GoTo 0
End Function

2 comments:

thepip3r said...

Thanks for the script Jonas, I had to adapt it a bit to my environment and way we're setting class-level objects instead of instance-level but it worked like a champ. Thanks for the format. Credit to you and your blog is given.

http://thepip3r.blogspot.com/2011/04/sccm-2007-usergroup-rights-distribution.html


- thepip3r

merowinger said...

Hi thepip3r,
that's why i posted it. Great to hear ;)
best regards
Jonas