When trying to move a machine in the Management Console, lower privileged users that have no server permissions find that they get are unable to. They see this error message:
Error shown: Access Denied. User <username> must have one of the permissions 'ServerAdministrator, GroupAdministrator, GroupModifier'.
This has been noted as being an issue after upgrading to Management Center 10.1 from a previous version though the upgrade is not a cause in this case.
The cause for this issue is that the ExpectedGroupFK is NULL on the record for the machine in the Management Server database. Machines exist in the dbo.Machines table as single records from Management Server FR 2 onwards. Machines will have this state if they are installed using a msiexec command line or manually installed on endpoints by running through the MSI installation procedure.
There are currently a few ways to avoid this issue:
- After machines show up in the Management Console, use the Right-Click > Poll Now action which fills out the ExpectedGroupFK.
- To avoid running into this altogether, use one of the other means to get machines into the Management Center:
- Use membership rules to gather machines
- Manually add machines after they exist in Active Directory but before they have the CCA installed
- Give the user ServerAdministrator permissions and have them restart the console. This will likely be the least viable option.
This is currently being investigated further by Support. If you see this issue, please raise this as a support case with a reference to this article and confirmation if any of the workarounds worked for you.