I have a SCCM lab environment for testing, I decided to destroy it and rebuild it from the ground up as I have not done this for some time now and It’s a good refresher.
When I build anything, I always add an AD group rather than a user for access to any ‘Full Administrator’ roles. This prevents you from locking yourself out. Unfortunately for me after I installed SCCM and opened it for the first time and just began customising it in reverse. Instead of setting up the administrative roles and access I decided to start creating applications till I figured out how I wanted to structure the rest of the site servers.
After a week or so I wanted to clean up some of the user accounts in Active Directory. I ended up deleting the user account I originally used to setup SCCM. Fast forward a couple of days, I tried to open the SCCM console with a domain admin user and I got an error, no access. Then it clicked, I forgot to add the domain admins group to the SCCM administrators. The only ‘Full administrator’ account in SCCM was the user that I deleted.
After trying to troubleshoot with various AD restore tools and hours of unsuccessful attempts to restore the deleted user account, I thought if I can access the SQL DB and add another user or group in there, I would be able to gain access.
The account shown above is the old HEX value for the deleted AD account I originally used to configure SCCM which no longer exists.
Take note of the ‘AdminID’ 16777217
it should look like…
Now you can add a group to ‘Full Administrators’ in the SCCM console.
Just remember to remove the original user that was created, as the SID and username will not match in SCCM.
Hope this helps.
Senior Cloud Consultant