Auditing – Administrative User Accounts that have permissions to deploy a task sequence to a resource

--What admins have the right to initiate a task sequence install on a resource

select a.LogonName from RBAC_Admins a
-- Does the admin have read and deploy task sequence permission to at least one collection
where a.AdminID in (select top 1 AdminID from RBAC_InstancePermissions where AdminID = a.AdminID and ObjectTypeID = 1 and (GrantedOperations & 0x00800001) = 0x00800001)
-- and
and
(
 a.AdminID in
 (
  -- does the admin have read permissions to at least one task sequence
  select top 1 ts.AdminID from RBAC_InstancePermissions ts
  where (ts.GrantedOperations & 0x00000001 = 0x00000001) and ts.ObjectTypeID = 20
  -- that deploys software
  and ts.objectkey in (select packageid from v_TaskSequencePackageReferences)
  and ts.AdminID = a.AdminID
 )
 or
 a.AdminID in
 (
  -- does the admin have create task sequence permissions
  select top 1 ts.AdminID from RBAC_InstancePermissions ts
  -- and 
  inner join v_CategoryPermissions p on ts.AdminID = p.AdminID and (p.GrantedOperations & 0x00000401 = 0x00000401) and p.ObjectTypeID = 20
  where ts.AdminID = a.AdminID
  and
  (
   a.AdminID in
   (
    -- does the admin
    select top 1 p.AdminID from RBAC_InstancePermissions p
    -- have read permissions to a package
    where (p.GrantedOperations & 0x00000001 = 0x00000001) and p.ObjectTypeID = 2
    and p.AdminID = a.AdminID
   )
   or
   a.AdminID in
   (
    -- does the admin have rights to all packages
    select top 1 p.AdminID from v_CategoryPermissions p
    where p.ObjectTypeID = 2 and p.CategoryID = 'SMS00ALL'
    and p.AdminID = a.AdminID
   )
   or
   a.AdminID in
   (
    -- does the admin
    select top 1 p.AdminID from RBAC_InstancePermissions p
    -- have read permissions to an application
    where (p.GrantedOperations & 0x00000001 = 0x00000001) and p.ObjectTypeID = 31
    and p.AdminID = a.AdminID
   )
   or
   a.AdminID in
   (
    -- does the admin have rights to all applications
    select top 1 p.AdminID from v_CategoryPermissions p
    where p.ObjectTypeID = 31 and p.CategoryID = 'SMS00ALL'
    and p.AdminID = a.AdminID
   )
  )

 )
 or
 a.AdminID in
 (
  -- does the admin have rights to all task sequences
  select top 1 ts.AdminID from v_CategoryPermissions ts
  where ts.ObjectTypeID = 20 and ts.CategoryID = 'SMS00ALL'
  and ts.AdminID = a.AdminID
 )
)
order by 1
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s