Endpoint Insights

Create a SCCM Report Reader AD Security Group and Import Security Role

Topics: Endpoint Insights

Why do you need a SCCM Report Reader AD security group and security role? The answer is quite simple. There is no reason for non-SCCM administrators to view reports from the console.

Back in 2015, I decided to create the Enhansoft Report Readers security role because I wanted to show SCCM Admins how they could grant users access to SCCM SSRS reports without using the Configuration Manager console. Honestly, do you really want to bother others, including your boss, by making them update the SCCM console to the latest version? After creating this security role, I then published a couple of blog posts about how to use Brian Mason’s Report User Security Role and the Enhansoft Report Readers security role.

By the way, using the security role involves creating a SCCM Report Reader AD security group. Creating this type of security group is quite helpful and the steps on how to create one are universal, so you can use the following guide for all sorts of applications.

This blog post includes a new section about how to keep the Enhansoft Report Readers security role up-to-date with SCCM current branch releases, so that’s why it replaces the original post. Similar to the original, this one shows you the step-by-step process of how to create a SCCM Report Reader AD security group and how to import the security role. What do I mean? Following best practices, I will create an AD security group and then add the users to that group. I will then assign the AD security group to the SCCM security role. Doing so allows me to add and remove users from the AD security group quickly, without having to touch SCCM again.

Note: This blog post uses some of the SCCM 2012 R2 screenshots from my original post with the addition of some SCCM current branch screenshots. Keep in mind that the steps are the same no matter what version of SCCM you are using.

Create a SCCM Report Reader AD Security Group

In this section the AD security group is created. It is used to assign permission to the SCCM security role.

SCCM Report Reader AD Security Group - ADUC

1. In Active Directory Users and Computers (ADUC), right-click on the appropriate Organization Unit (OU) (Users in this example), point to New and then click Group.

SCCM Report Reader AD Security Group - New Object-Group

2. Enter the Group name and click OK.

SCCM Report Reader AD Security Group - Members Tab

3. Double click on the Group name that was created, next click on the Members tab, and then click Add…

SCCM Report Reader AD Security Group - Select Users

4. Add the appropriate users, then click OK twice.

Now that the AD security group is created, you can assign users to it where it can be leveraged by SCCM for its security.

Importing the Security Role

In this section I will show you how to import the Enhansoft Report Readers security role. This will assign the appropriate permission within SCCM so that a user can view the SCCM reports from the SSRS web interface.

1. Download the Enhansoft Report Readers security role zip file.

SCCM 2012

SCCM 2012 R2

SCCM Current Branch (1602) 

SCCM Current Branch (1810)

Now in one Zip file!

https://www.enhansoftdownloads.com/CM/CMSecRoles.zip

SCCM Report Reader AD Security Group - Import Security Role

2. After un-zipping and extracting the XML file, open the Configuration Manager console. Browse to Administration | Overview | Security | Security Roles then right-click and select Import Security Role.

SCCM Report Reader AD Security Group - File Location

3. Browse to the XML file’s location. Select it and click Open.

SCCM Report Reader AD Security Group - Add User or Group

4. Once imported, browse to Administration | Overview | Security | Administrative Users then right-click and select Add User or Group.

SCCM Report Reader AD Security Group - Browse

5. Click Browse…

SCCM Report Reader AD Security Group - Add Group Name

6. Add the Group name and click OK.

SCCM Report Reader AD Security Group - Add

7. Click Add…

SCCM Report Reader AD Security Group - Add Security Role

8. Select Enhansoft Report Readers and click OK.

SCCM Report Reader AD Security Group - OK

9. Click OK to continue.

Note: If you want to restrict which computers or users this security group can see, you can do that within the assigned security scopes and collections section.

With that last step completed, the SCCM Report Reader AD security group has permission to see all of the computers and users within SCCM and they can access all reports via the SSRS web interface. The web URL is generally http://<server name>/reports, and for my lab environment it is http://cm-cas-cb1/reports.

Updating the SCCM Report Reader Security Role for Use with Current Branch

With regular SCCM current branch updates, how can you get the latest version of the Enhansoft Report Readers security role? Simply re-import the updated zip file.

SCCM Report Reader AD Security Group - Import Button

When you import the updated security role you will get the above warning message. Click on the Import button in order to complete the process of updating the security role. Your users will start using the updated version right away and therefore have access to any new reports that are within SCCM current branch.

If you have any questions about how to create a SCCM report reader AD security group and import the security role, please feel free to contact me @GarthMJ.

Back to Top