Create a SCCM Report Reader AD Security Group and Import Security Role
Receive notification right in your inbox whenever new content like this is released & sign up for our email list!
We’ll send you the latest updates, how-to’s, and solutions to empower you at every endpoint.
Why do you need a SCCM Report Reader AD security group and security role? The answer is quite simple. There is no reason for non-SCCM administrators to view reports from the console.
Back in 2015, I decided to create the Enhansoft Report Readers security role because I wanted to show SCCM Admins how they could grant users access to SCCM SSRS reports without using the Configuration Manager console. Honestly, do you really want to bother others, including your boss, by making them update the SCCM console to the latest version? After creating this security role, I then published a couple of blog posts about how to use Brian Mason’s Report User Security Role and the Enhansoft Report Readers security role.
By the way, using the security role involves creating a SCCM Report Reader AD security group. Creating this type of security group is quite helpful and the steps on how to create one are universal, so you can use the following guide for all sorts of applications.
This blog post includes a new section about how to keep the Enhansoft Report Readers security role up-to-date with SCCM current branch releases, so that’s why it replaces the original post. Similar to the original, this one shows you the step-by-step process of how to create a SCCM Report Reader AD security group and how to import the security role. What do I mean? Following best practices, I will create an AD security group and then add the users to that group. I will then assign the AD security group to the SCCM security role. Doing so allows me to add and remove users from the AD security group quickly, without having to touch SCCM again.
Note: This blog post uses some of the SCCM 2012 R2 screenshots from my original post with the addition of some SCCM current branch screenshots. Keep in mind that the steps are the same no matter what version of SCCM you are using.
Create a SCCM Report Reader AD Security Group
In this section the AD security group is created. It is used to assign permission to the SCCM security role.
1. In Active Directory Users and Computers (ADUC), right-click on the appropriate Organization Unit (OU) (Users in this example), point to New and then click Group.
2. Enter the Group name and click OK.
3. Double click on the Group name that was created, next click on the Members tab, and then click Add…
4. Add the appropriate users, then click OK twice.
Now that the AD security group is created, you can assign users to it where it can be leveraged by SCCM for its security.
Importing the Security Role
In this section I will show you how to import the Enhansoft Report Readers security role. This will assign the appropriate permission within SCCM so that a user can view the SCCM reports from the SSRS web interface.
1. Download the Enhansoft Report Readers security role zip file.
SCCM 2012 R2
SCCM Current Branch (1602)
SCCM Current Branch (1810)
Now in one Zip file!
2. After un-zipping and extracting the XML file, open the Configuration Manager console. Browse to Administration | Overview | Security | Security Roles then right-click and select Import Security Role.
3. Browse to the XML file’s location. Select it and click Open.
4. Once imported, browse to Administration | Overview | Security | Administrative Users then right-click and select Add User or Group.
5. Click Browse…
6. Add the Group name and click OK.
7. Click Add…
8. Select Enhansoft Report Readers and click OK.
9. Click OK to continue.
Note: If you want to restrict which computers or users this security group can see, you can do that within the assigned security scopes and collections section.
With that last step completed, the SCCM Report Reader AD security group has permission to see all of the computers and users within SCCM and they can access all reports via the SSRS web interface. The web URL is generally http://<server name>/reports, and for my lab environment it is http://cm-cas-cb1/reports.
Updating the SCCM Report Reader Security Role for Use with Current Branch
With regular SCCM current branch updates, how can you get the latest version of the Enhansoft Report Readers security role? Simply re-import the updated zip file.
When you import the updated security role you will get the above warning message. Click on the Import button in order to complete the process of updating the security role. Your users will start using the updated version right away and therefore have access to any new reports that are within SCCM current branch.
If you have any questions about how to create a SCCM report reader AD security group and import the security role, please feel free to contact me @GarthMJ.