Weird but true: Permissions required to use Resultant Client Settings in ConfigMgr 2012

TweetFor those following me on Twitter, this blog post will be an extended version of a tweet I posted last week. This blog post will explain a bit more about the situation, as that was a  bit hard in a tweet of 140 characters. Also, this blog is a lot easier to find for future references.

Introduction

In this blog post I’ll explain what permissions are required to use the Resultant Client Settings feature that’s new since ConfigMgr 2012 R2. This feature can be used to view the calculated resultant client settings. This can be really useful when multiple client settings have been deployed to the same device, user, or user group, as the prioritization and combination of settings can be complex. Keep in mind that this calculation is done on the server-side. That means it will show the resultant client settings of how they should be according to the targeted policies. It doesn’t show the resultant client settings of the truly applied policies. That means that this can’t be used to see if policy are applied, or not.

Permissions

ResultantClientSettingsMenuNow the key thing of this blog post, the minimal permissions required to use the Resultant Client Settings feature. There will be one big surprise between the required permissions. To provide a user with the minimal rights required for using this feature, use the following list:

  • ResultantClientSettingsClient Agent Settings – Read;
    • Without the read permissions the Resultant Client Settings feature will be grayed out.
  • Collection – Read, Provision AMT;
    • Without the read permissions the collections can’t be accessed and without the Provision AMT permissions the Resultant Client Settings feature will not show.
  • Site – Read.
    • Without the read permissions the Resultant Client Settings feature will be grayed out.

Feedback

The big surprise in the required permissions is, of course, the Provision AMT permission. It’s hard to explain to anybody that the Provision AMT permission is required to allow the usage of the Resultant Client Settings feature. Also, by providing that permission it also provides the access to the Manage Out of Band menu options. This is not always the ideal situation. That’s why I filed a DCR on the connect site. If you would like to see this addressed in a future release, or in a hotfix, or just want to give it a small spotlight, this is the link where you can vote: https://connect.microsoft.com/ConfigurationManagervnext/feedbackdetail/view/952491

Share