Previous Section
 < Day Day Up > 
Next Section


Accounts and Groups

As we've seen throughout this book, SMS uses a variety of accounts to perform various tasks. Some of these accounts might be created by you, such as a Client Connection account; others are created by SMS automatically, such as the SMS Server Connection account. The number of accounts that SMS creates and requires depends largely on the security mode you've selected. As we've seen, advanced security mode only requires the local system account and computer account.

You can categorize the various accounts that SMS can use in many ways. I have broken these down into four categories as follows:

In this section we'll review each of these account categories in more detail.

Accounts Common to Advanced and Standard Security

Three user accounts and six group accounts used at the SMS server level are common to both advanced and standard security. These are described in Tables 17-5 and 17-6.

Table 17.5: User accounts common to advanced and standard security

Account Type

Account Name

Description

Local System

N/A

Required account.

Used to run SMS client and server processes and services.

Used to run SMS Advanced Client and server processes in Advanced Security.

Client Push Installation

Administrator's choice

Optional account.

Used to install SMS components on Legacy Client computers when the SMS Service account doesn't have appropriate rights on the client computer. Can be identified for use by Advanced Clients as well.

Default for Legacy Client: SMS Service Account.

Default for Advanced Client: client computer account.

Site Address

Administrator's choice

Optional account.

Used for site-to-site communications.

Default for standard security: SMS Service account.

Default for advanced security: site server computer account.

Table 17.6: Group accounts common to advanced and standard security

Account Type

Account Name

Description

SMS Administrators

SMS Admins

Used to provide access to the SMS Provider through WMI to launch the SMS Administrator Console and access the SMS site database.

Internal Client Group

SMSInternalCliGrp

Contains the client token and client service accounts on domain controllers (domain controllers require that all user accounts belong to a group).

Reporting Users

SMS Reporting Users

Controls user access to SMS. Reports through the reporting point.

Site System To Site Server Connection

SMS_SiteSystem- ToSiteServerConnection _sitecode

Provides site systems access to site server resources.

Site System To SQL Server Connection

SMS_SiteSystem- ToSSQLConnection_ sitecode

Provides management points, server locator points, and reporting points access to the SMS site database server.

Site To Site Connection

SMS_SiteToSite- Connection_sitecode

Facilitates communications between sites in an SMS hierarchy. Default members are site address accounts.

Accounts Specific to Advanced Security

When we talk about advanced security, we usually refer to the local system account and the computer account. Strictly speaking, the local system account is sometimes used while running standard security. However, I'm including it here to emphasize its purpose under advanced security. Table 17.7 summarizes these two accounts.

Table 17.7: Accounts specific to advanced security

Account Type

Account Name

Description

Local System

N/A

Used to run SMS client and server processes and services.

Used to run SMS Advanced Client and server processes in Advanced Security.

Computer

Machinename$

Used by SMS computers to communicate with other SMS computers.

Accounts Specific to Standard Security

Like SMS 2.0, SMS 2003 running in standard security mode uses many accounts to carry out various tasks on the server and on the client. Table 17.8 summarizes these accounts.

Table 17.8: Accounts specific to standard security

Account Type

Account Name

Description

SMS Service

SMSService by default, but also administrator's choice

Used to run SMS site server processes and services.

Server Connection

SMSServer_sitecode

Used to provide CAPs access to the site server.

Site System Connection

Administrator's choice

Optional account.

Used to provide sites servers access to site systems. SMS Service account is used by default.

Remote Service

SMSSvc_sitecode_xxxx

Used to run the SMS Executive service on remote CAPs and the SQL Monitor service on an SMS database server that isn't the site server.

SMS Service Account

Here's a bit more about the SMS Service account as you're likely to encounter it if you're upgrading from an SMS 2.0 site or need to maintain downward compatibility within your SMS hierarchy for a time. The SMS Service account is the primary account created by SMS in standard security mode. Site server services use this account to create shares and directories on site systems, set permissions, copy files, install services and components, and verify operation of the site system. Specifically, the SMS Executive, SMS Site Component Manager, SMS Site Backup, SMS SQL Monitor, and SMS Client Configuration Manager all use this account. The SMS Service account is created when the SMS site server is installed. By default, it's named SMSService and made a member of the local Administrators group on the site server as well as the Domain Admins and Domain Users groups in the Windows domain the site server belongs to. Because the account is a domain administrator, you should probably rename it and provide password protection with a complex password composed of alphanumeric and special characters. (Just don't forget the password.)

Tip 

One way to increase security for your Windows domain is to remove the SMS Service account from the Domain Admins group and add it directly to the local Administrators groups on the site server, the server running SQL, CAP, logon point, and software metering server. If you aren't using a Client Push Installation account, add the SMS Service account to the local Administrators group on every SMS Legacy Client as well.

If your SMS site systems are members of trusted Windows domains, you can use the same SMS Service account throughout your site hierarchy for convenience. However, if SMS sites and site systems are in untrusted Windows domains, you must create the account separately in each domain. Although this won't be a concern with Windows 2000 or higher domains, trust relationships might well be a concern if you still need to support Windows NT 4.0 domains. For example, the SMS Service account is used to access the SMS database on the server running SQL. If the server running SQL happens to be in a different, untrusted Windows domain than the SMS site server, SMS will need to use Windows' pass-through authentication method to gain access to the server running SQL. This means that you'll need to create the SMS Service account in the domain of the server running SQL using the same account name and password that are used on the site server.

Caution 

Do not change this account through the Windows account management tools-for example, the User Manager For Domains utility in Windows NT 4.0. If you need to rename the account or change the password, do so using the Reset function of SMS Setup. This method will ensure that all the SMS services are properly updated with the changed account information.

SQL Server Account

The SQL Server account, created by SQL Server during its installation, is used to provide SMS services with access to the SMS database and the software metering database. The type of account that's used depends on whether or not you're using Windows Authentication mode when accessing SQL Server. Recall from Chapter 2 that you need to tell SMS which security method you've enabled for SQL Server in order for SMS to establish the correct account to use.

By and large, you manage SQL Server accounts through SQL Server Enterprise Manager. If you need to change the account for SMS, first establish the account in SQL Server and then update SMS with the new account information, as shown here:

  1. In the SMS Administrator Console, navigate to the sitecode - site name entry under Site Hierarchy.

  2. Right-click the site entry and choose Properties from the context menu to display the Site Properties dialog box.

  3. Select the Accounts tab, shown in Figure 17.3. In the SQL Server Account section, click Set and supply the new account name and password in the SQL Server Account dialog box.

    Click To expand
    Figure 17.3: The Accounts tab of the Site Properties dialog box.

  4. Choose OK to save the change and update SMS.

SMS Site Address Account

Here's more information about the site address accounts. The SMS Site Address account is used to establish communications between a parent site and a child site in an SMS hierarchy for the purpose of forwarding data such as discovery data records (DDRs), site control information, inventory, and packages. (Refer to Chapter 4, 'Multiple-Site Structures,' for more information about the communications process.) Although the SMS Service account can be used to accomplish this task, it's generally recommended that the SMS administrator create a separate account specifically for the purpose of intersite communications. This account can be made fairly secure as well because it need not be a member of the Domain Admins group. In fact, the account needs only Read, Write, Execute, and Delete permissions on the SMS_SITE share (SMS\Inboxes\Despoolr.box\Receive), so it could be simply a guest account with the appropriate permissions to the share.

Server Connection Account

SMS creates the SMS Server Connection account automatically during installation of the site server, and remote site systems use it to connect back to the site server to transfer information. The Inbox Manager Assistant component on CAPs uses this account to transfer client data to appropriate inboxes on the site server. The SMS Provider also uses this account to access SMS directories on the site server as well as the package definition file (PDF) store.

The SMS Server Connection account is named SMSServer_sitecode and is assigned a randomly generated password. Do not modify this account in any way. In fact, it's a best practice not to modify any account created and maintained by SMS itself.

If you change the password for the SMS Server Connection account, you can reset it by running the Reset routine through SMS Setup. However, if you delete the account, calling Reset won't restore it. Instead, you'll need to reinstall SMS.

Accounts Specific to SMS Clients

The accounts used by SMS clients fall into three categories: those common to both the Advanced and Legacy Clients, those specific to the Advanced Client, and those specific to the Legacy Client. As you might have come to expect, the Advanced Client requires far fewer accounts than the Legacy Client does. Table 17.9 summarizes these accounts for you.

Table 17.9: Accounts specific to SMS clients

Account Type

Account Name

Description

Accounts Common to Advanced and Legacy Clients

Client Configuration Manager (CCM) Boot Loader (Nondomain Controller)

SMSCCMBootAcct&

Used to install the CCM Boot Loader during installation of SMS client components on an SMS client that isn't a domain controller.

CCM Boot Loader (Domain Controller)

SMS#_domaincontroller

Used to install the CCM Boot Loader during installation of SMS client components on an SMS client that's a domain controller.

Accounts Specific to Advanced Clients

Advanced Client Network Access

Administrator's choice

Optional account.

Used by the Advanced Client when an advertised program needs to access a share on a server other than the distribution point. The account is a domain account and must have appropriate permissions on the appropriate shares.

Accounts Specific to Legacy Clients

Client Services (Domain Controller)

SMS$_domaincontroller

Used by SMS client services specifically on domain controllers that are also SMS clients.

Client Service (Nondomain Controller)

SMSCliSvcAcct&

Used by SMS client services on domain SMS clients that aren't domain controllers.

Client User Token (Domain Controller)

SMSCliToknAcct&

Used by SMS client services to execute various component functions on a domain controller installed as a Legacy Client, as well as to run advertised programs in an administrator security context when specified for a package.

Client User Token (Nondomain Controller)

SMSCliToknLocalAcct&

Used by SMS client services to execute various component functions on the Legacy Client, as well as to run advertised programs in an administrator security context when specified for a package.

Client Connection

SMSClient_sitecode

Used by SMS client components running on Legacy Clients to connect to CAPs and distribution points to transfer data such as inventory or client configuration updates.

Legacy Client Software Installation

Administrator's choice

Optional account.

Used by SMS in lieu of the SMS User Token to install an advertised program on a Legacy Client in an administrator security context when additional network access is required.

Client User Token Account

Here's a bit more detail about the Client User Token account. When programs are executed at the Standard Client computer, they will run under the local user account's security context. Since most users are logged on as users and not as administrators, these programs will run under the local user context. Although this isn't such a big deal for non-Windows systems and for Windows 98 clients, it can be a big issue on Windows NT 4.0 and later clients because they maintain a local account database and provide more security over system modifications such as program installation. Thus, the security context poses a problem when dealing with SMS packages.

When you identify a program to SMS as requiring an administrator context to execute it, SMS uses the Client User Token account, named SMSCliToknAcct& if the client is a domain controller and SMSCliToknLocalAcct& if the client isn't a domain controller, to create a user token on the client with sufficient access to run the program. This internal account is created automatically, assigned a random password, and granted the Act As Part Of The Operating System, Log On As A Service, and Replace A Process Level Token user rights on the client. This account will be sufficient in most cases. Recall from Chapter 12, however, that if the program execution requires that the program connect to network resources other than the distribution point, the client user token account will fail because it's created as a local account rather than as a domain account. In this case you should use the SMS Legacy Client Software Installation account. (See Chapter 12 for a complete discussion of installation accounts.)



Previous Section
 < Day Day Up > 
Next Section