System Center 2012 R2 - The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database

Symptom: When any user account, other than the individual who originally configured SCCM, tries to manage System Center Configuration Manager (SCCM), they are presented with the following error:

The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database.  The account must belong to a security role in Configuration Manager.  The account must also have the Windows Server Distributed Componenet Object Model (DCOM) Remote Activation permission for the computer running the Configuration Manager site server and the SMS Provider. Configuration Manager cannot connect to the site - System Center 2012 R2 Configuration Manager

Solution: We need to provide a list of users/groups to have access to System Center through the configuration console.  Follow the steps below on how to grant access.

  1.  Open up the System Center Configuration Manager Console System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Administration
    System Center 2012 R2 Configuration Manager - Administration
  3. Expand Security, select Administrative Users, and select Add User or Group at the top
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group
  4. Click the Browse button to add security group or user you wish to add for the User or group name
    1. Note about Domain Admins: the first group you might try to add is Domain Admins, however if you add that group you will notice that users in this group will still be unable to open the console.  This is due to the behavior of user context logged in.  If UAC is enabled on the machine, you won't have access to the SCCM you login to the machine with a domain admin account, unless you right click on the console and run it is Administrator.  If you want this to work as intended, you will need to create a new security group in Active Directory, add Domain Admins to it, and then specify that group in SCCM.
  5. Click the Add... button
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Add
  6. Check Full Administrator, and click OK
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Add - Add Security Role
  7. Click OK
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Group and Security Roles assigned
  8. The end result should now look like this.  At this point, any member or group inside of SCCM Admins should have access to manage SCCM now via the console.
    System Center 2012 R2 - Administration - Security - Administrative Users - Security Group and User

13 thoughts on “System Center 2012 R2 - The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database

  1. G-Man

    Great article and a terrific help for those of us trudging through SCCM for work, a fantastic effort mate!

    1 thing I did notice in my instance is that I had to disable UAC on the server in order to get the new SCCM Administrators group to work ... you may want to add the following line to step 4.1

    ... If you want this to work as intended, you must disable UAC on the server first, after which you can create a new security group in Active Directory, add Domain Admins to it, and then specify that group in SCCM.

    ... it wasn't until I disabled UAC that your instructions worked. You've mentioned UAC in the sentence previous but haven't specifically told the reader to disable it to make the console load "as intended".

    Btu as I say mate, overall that's a great article, well done and thanks again

    G-Man

    Reply
    1. Chad

      If you disable UAC, you don't need to do the extra step with the group. Domain Admins can connect fine from the server once UAC is disabled.

      Reply
  2. rfar

    Just go to the program startup location (C:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe) and change the properties, compatibility, change settings for all users, Run this program as an administrator. This will allow you to use Domain Admins.

    Reply
    1. Jack Post author

      While you can achieve the same result this way, running the entire program with administrative privileges is not recommended for security reasons.

      Jack

      Reply
  3. tahirm

    i got this error during installation SCCM 2012 can you fix tell me step by step please

    omGetServerRoleAvailabilityState could not read from the registry on SCCM.domain.com; error = 5: $$

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *