Symptom: When any user account, other than the individual who originally configured SCCM, tries to manage System Center Configuration Manager (SCCM), they are presented with the following error:
The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database. The account must belong to a security role in Configuration Manager. The account must also have the Windows Server Distributed Componenet Object Model (DCOM) Remote Activation permission for the computer running the Configuration Manager site server and the SMS Provider.
Solution: We need to provide a list of users/groups to have access to System Center through the configuration console. Follow the steps below on how to grant access.
- Open up the System Center Configuration Manager Console
- Select Administration
- Expand Security, select Administrative Users, and select Add User or Group at the top
- Click the Browse button to add security group or user you wish to add for the User or group name
- Note about Domain Admins: the first group you might try to add is Domain Admins, however if you add that group you will notice that users in this group will still be unable to open the console. This is due to the behavior of user context logged in. If UAC is enabled on the machine, you won't have access to the SCCM you login to the machine with a domain admin account, unless you right click on the console and run it is Administrator. If you want this to work as intended, you will need to create a new security group in Active Directory, add Domain Admins to it, and then specify that group in SCCM.
- Click the Add... button
- Check Full Administrator, and click OK
- Click OK
- The end result should now look like this. At this point, any member or group inside of SCCM Admins should have access to manage SCCM now via the console.
Great article and a terrific help for those of us trudging through SCCM for work, a fantastic effort mate!
1 thing I did notice in my instance is that I had to disable UAC on the server in order to get the new SCCM Administrators group to work ... you may want to add the following line to step 4.1
... If you want this to work as intended, you must disable UAC on the server first, after which you can create a new security group in Active Directory, add Domain Admins to it, and then specify that group in SCCM.
... it wasn't until I disabled UAC that your instructions worked. You've mentioned UAC in the sentence previous but haven't specifically told the reader to disable it to make the console load "as intended".
Btu as I say mate, overall that's a great article, well done and thanks again
G-Man
Hi G-Man,
You shouldn't have to disable UAC. Adding the group via this process should resolve the issue.
Jack
If you disable UAC, you don't need to do the extra step with the group. Domain Admins can connect fine from the server once UAC is disabled.
Just go to the program startup location (C:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe) and change the properties, compatibility, change settings for all users, Run this program as an administrator. This will allow you to use Domain Admins.
While you can achieve the same result this way, running the entire program with administrative privileges is not recommended for security reasons.
Jack
Thank you very much!!!
i got this error during installation SCCM 2012 can you fix tell me step by step please
omGetServerRoleAvailabilityState could not read from the registry on SCCM.domain.com; error = 5: $$
This is due to permissions. Do you have local admin on the box?
https://social.technet.microsoft.com/Forums/en-US/adaf10d8-f31b-43c2-9b89-15b963aac51c/inslallation-casprimary-error-omgetserverroleavailabilitystate-could-not-read-from-the-registry?forum=configmanagerdeployment
Thank you mate! Really helpful article.
Thanks! This was exactly the information I needed to find!
Thanks bro , it helps me find the issue .
Thank you , Its very useful
Thank you! That worked.