Now that you have installed an SMS Administrator console on a computer other than the site server, any user who can run the MMC executable file on the computer can access the console. However, without permission to access the SMS site database, and without the appropriate security rights to SMS objects, unauthorized users cannot connect to the SMS site database or view data in the details pane of the SMS Administrator console.
At this point, you must grant security permissions to the users whom you want to use the console. The following sections summarize the security-related options required to use a remote SMS Administrator console.
SMS creates the SMS Admins local user group on the site server when SMS is installed. If the SMS site database and SMS Provider are on a site system other than the site server, SMS also creates the SMS Admins group on that computer. SMS Admins is granted access permission to the SMS site database (through the SMS Provider). A local SMS Admins group is created on any computer that has the SMS Administrator console installed.
To use an SMS Administrator console, a user must be a member of SMS Admins or have been granted such access directly or by membership in a user group that has equivalent permissions. An administrator must be a member of SMS Admins on both the site server and on the site database server. You might find that membership in a user group that has rights to SMS data is a convenient way to handle access permission.
Alternatively, you might, as part of your overall security approach, prefer to grant permission to individual users. To do so, run Winnt\System32\
WBEM\Wbemperm.exe to grant individuals access to the SMS Provider. With this tool, you can directly grant SMS site database access to users and user groups. You should grant Write Instance and Execute Methods permissions to users to access the SMS Provider.
For more information about SMS security issues, see Chapter 4, “Creating Your SMS Security Strategy” in the SMS 2.0 Administrator’s Guide.
You should grant users the appropriate security rights to the SMS objects required for the users to perform their tasks. For example, you can grant a help desk administrator account the right to read and remotely control clients in one or more collections in your site.
You grant security rights on SMS object classes and instances. A class of objects refers to all instances of an object; an object instance refers to just one object in a class. You can grant a user (or user group) security rights to a class of objects or to individual instances of that class. For example, all SMS collections collectively constitute the SMS Collection class. Any single collection is an instance of that class. If you grant rights to the SMS Collection class, the user has those permissions granted to all collections, not just one.
Most administrators will not grant users broad security rights to classes, instead preferring to grant more extensive security permissions at the instance level. As an example, you might grant Read permission for the SMS Collection class to your help desk administrator group, but grant the Use Remote Control permission only for specific collection instances. This approach permits more granular control over security rights to SMS objects.
When you grant security permissions, place your administrators in global user groups with minimal SMS security permissions. Grant more extensive security rights to the local user group rather than to the global group, and then make the global user group a member of a local user group. Using this approach, you do not have to grant and remove security permissions from individual user accounts or other global groups. Instead, users inherit the necessary permissions from their membership in a local user group.