Preventing accidental Task Sequence OSD

I have a task sequence (UDI) configured to reimage a computer with out Windows 7 image. I'd like to advertise it to all workstations to make it easy for our other sysadmins to reimage computers, but i also obviously want to prevent end-users from re-imaging computers themselves.
 
What is the best way to enable our other sysadmins to run these task sequences while preventing end-users from running them? I want the sysadmins to be able to PXE boot any system to reimage without needing me to add it to a collection.
 
I imagine this is a common scenario, what do you do?

I use unknown computer support and advertise the task sequence to the all unknown computer collections. I allow them to delete a system from SCCM then all they need to do is PXE boot the system to reimage. If they inadvertently delete a system from SCCM no worries because discovery will add it back. 

That is the same that I do.  I would like to get it where I had the option of doing it without deleting it. I have a DaRT WinPE boot disc that boots from PXE.  I would like to have that option available for our techs as well. Perhaps with SCCM 2012 we could tie it to the user?

You could advertise it but limit the TS itself to only show on Operating Systems you don't have in your environment (i.e. Vista x64 Original Release).  The TS would still be available, just wouldn't show up within Run Advertised Programs.  But, if the user PXE boots, there will be an active advertisement that they can use.  As always, make sure to NOT make the advert Mandatory (you know, unless you like job interviews).  :)
 

We sort of do this with our loaners. We advertise the sequence but only allow it to run on some obscure OS that we dont use. Like Win 2000. This way it wont run on the Win 7 PCs unless forced via PXE by an admin. It works, there are probably safer ways but it gets the job done.

Just can always build in a belt and braces approach as I do. I also set some obscure platform requirement that we don't have but I also build this into my PXE task sequences: http://support.microsoft.com/kb/2000656 in the case that some other admin forgot to limit it to 'not used' platform.

Yeah, I set a platform restriction so it can only run on Vista machines (our computers are all either XP or Win7) and make it available to PXE. I also have collections set up for each computer model we have in use (there are some different roles that use different machines, and require different software installed as part of their TS).
 
I kind of just guessed when I set this up, so I'm happy to see this is the generally-accepted practice for doing this!

we do it this way and it works great
 
How can I password Protect a Task Sequence ?
Password Protecting a Task Sequence
 
and if you want to obfuscate the password look at this post

Are there any benefits to launching the TS from within Windows, though? I feel like it's easier to just disable it from your commonly-used platforms.

i would have to disagree.. TS via teh OS is the way to go for any "sequence process" :)

Okay, but... why? I'm curious. It works very well the way I have it set up, so I'd honestly like to know what the advantages are to doing it the other way, so I can change our method accordingly.

We created a "Enter Username and Password" Dialog box to a script that runs as a Custom Media Hook, so it will launch before the task sequence. Once the user enters their credentials it checks to see if that user is part of an AD Group. If the user is the group they are allowed to perform builds. If not then the exits the task sequence.
 
One Note about deleting systems from SCCM DB. if you have the users run State Capture to a SMP you will LOSE the recovery key. We learned this the hard way. We have 2 .MIG files with all the users data that cannot be accessed.

There are oodles of ways to do this
 
If you are using PXE, UCS and SCCM then you will hopefully have read, understood and inwardly digested  - at the bottom I comment that prevention is better than cure and here are some ways