SCCM – Locked out

Scenario

I have a SCCM lab environment for testing, I decided to destroy it and rebuild it from the ground up as I have not done this for some time now and It’s a good refresher.

When I build anything, I always add an AD group rather than a user for access to any ‘Full Administrator’ roles. This prevents you from locking yourself out. Unfortunately for me after I installed SCCM and opened it for the first time and just began customising it in reverse. Instead of setting up the administrative roles and access I decided to start creating applications till I figured out how I wanted to structure the rest of the site servers.

After a week or so I wanted to clean up some of the user accounts in Active Directory. I ended up deleting the user account I originally used to setup SCCM. Fast forward a couple of days, I tried to open the SCCM console with a domain admin user and I got an error, no access. Then it clicked, I forgot to add the domain admins group to the SCCM administrators. The only ‘Full administrator’ account in SCCM was the user that I deleted.

The Fix

After trying to troubleshoot with various AD restore tools and hours of unsuccessful attempts to restore the deleted user account, I thought if I can access the SQL DB and add another user or group in there, I would be able to gain access.

  • Log into SQL Management Studio using your SA account.
  • Go to your CM_<SiteCode> database, then click on Tables then filter for: RBAC_Admins.

clip_image002

  • Right click on this table then select Top 1000.
  • Find the ‘AdminID’ as shown below.

clip_image003

The account shown above is the old HEX value for the deleted AD account I originally used to configure SCCM which no longer exists.

Take note of the ‘AdminID’ 16777217

  • Find another user account you want to give access to SCCM
  • Go to ADSI edit find the user and click on Properties.
  • Find the ‘ObjectSID’ and click on View
  • Copy the Hexadecimal value and remove all the spacing.
  • Go back to SQL Management Studio and run the following query on the database.

use CM_<siteCode>

update RBAC_Admins

set AdminSID=0x<newHexValue>

where AdminID=<PreviousUserAdminID>

it should look like…

use CM_ZDN

update RBAC_Admins

set AdminSID=0x010500000000000515000000B30852AC954E1D135EA8DFCB8E040000

where AdminID=16777217

  • If your successful you should get the following.

clip_image005

  • Now you can log back into the SCCM console with the new user.

Now you can add a group to ‘Full Administrators’ in the SCCM console.

Just remember to remove the original user that was created, as the SID and username will not match in SCCM.

Hope this helps.

George Zajakovski

Senior Cloud Consultant

George Zajakovski
George Zajakovski
George is a Senior Cloud Consultant who specialises in Endpoint Manager (SCCM), VMware Horizon, Citrix virtual apps / desktops, Intune and modern workplace.