SMS: Members of Global User Groups Do Not Inherit Permissions

• Microsoft Systems Management Server version 2.0

SYMPTOMS

When you assign a global user group Systems Management Server class or instance rights on the Security Rights tab of the Systems Management Server Administrator's Console or the Systems Management Server User Wizard, the individual members of the global user group do not inherit the permissions you gave to the global user group.

In addition, when you give global user groups WBEM permissions using the Wbemperm.exe program or you add the global user group to the SMS Admins local group, the individual members of the global user group do not inherit the permissions of the global user group.

For example: If you make the USER1 domain user a member of the GLOBALUSERGROUP1 group, and then you give the GLOBALUSERGROUP1 group full Systems Management Server Administrator's Console class and instance rights, USER1 is not able to gain access to the nodes of the Systems Management Server console.

If you add the GLOBALUSERGROUP1 group to the SMS Admins local group on the server where the Systems Management Server provider is located or given WBEM permissions using the Wbemperm.exe program, USER1 is unable to connect to the provider.

WORKAROUND

To assign permissions to global groups:

1. Create a local group on the server that is running the Systems Management Server provider. This server can be the site server or the SQL server if Systems Management Server and SQL server are on separate computers.
   
   NOTE: The Smssetup.log file on the site server names the location of the Systems Management Server provider service.



2. Use the Wbemperm.exe program on the server that is running the Systems Management Server provider to add the local group created in step 1 to grant access to WBEM. When you add the group, make sure you click to selece both the Enabled and Execute Methods check boxes and the Schema Access Level is set to Write Instance. The SMS Admins local group has the same settings.



3. Use the Systems Management Server Administrator console to assign permissions to the local group you created in step 1. Use the following format:

   servername\localgroupname

   You receive two error messages when you do this. The first error message states that the user can not be verified. The second error message states that the user cannot be added to the SMS Admins group. These error messages do not stop the procedure from working correctly.

STATUS

Microsoft has confirmed this to be a problem in Systems Management Server version 2.0. This problem has been corrected in the latest U.S. service pack for Systems Management Server version 2.0. For information on obtaining the service pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

S E R V P A C K

MORE INFORMATION

For information about the Sysems Management Server provider and console security, please see the following article in the Microsoft Knowledge Base:

Q201126 Troubleshooting Connectivity to the SMS Site Database

Additional query words: prodsms can't connect fail global groups trusted sp1

Keywords : kbenv kbnetwork kbSecurity kbSMS200 kbSMS200bug kbWEBM
Version : winnt:2.0
Platform : winnt
Issue type : kbbug