< Day Day Up > |
As we've seen throughout this book, SMS uses a variety of accounts to perform various tasks. Some of these accounts might be created by you, such as a Client Connection account; others are created by SMS automatically, such as the SMS Server Connection account. The number of accounts that SMS creates and requires depends largely on the security mode you've selected. As we've seen, advanced security mode only requires the local system account and computer account.
You can categorize the various accounts that SMS can use in many ways. I have broken these down into four categories as follows:
Accounts common to both advanced and standard security
Accounts specific to advanced security
Accounts specific to clients (advanced and standard security)
In this section we'll review each of these account categories in more detail.
Three user accounts and six group accounts used at the SMS server level are common to both advanced and standard security. These are described in Tables 17-5 and 17-6.
Account Type |
Account Name |
Description |
---|---|---|
Local System |
N/A |
Required account. Used to run SMS client and server processes and services. Used to run SMS Advanced Client and server processes in Advanced Security. |
Client Push Installation |
Administrator's choice |
Optional account. Used to install SMS components on Legacy Client computers when the SMS Service account doesn't have appropriate rights on the client computer. Can be identified for use by Advanced Clients as well. Default for Legacy Client: SMS Service Account. Default for Advanced Client: client computer account. |
Site Address |
Administrator's choice |
Optional account. Used for site-to-site communications. Default for standard security: SMS Service account. Default for advanced security: site server computer account. |
Account Type |
Account Name |
Description |
---|---|---|
SMS Administrators |
SMS Admins |
Used to provide access to the SMS Provider through WMI to launch the SMS Administrator Console and access the SMS site database. |
Internal Client Group |
SMSInternalCliGrp |
Contains the client token and client service accounts on domain controllers (domain controllers require that all user accounts belong to a group). |
Reporting Users |
SMS Reporting Users |
Controls user access to SMS. Reports through the reporting point. |
Site System To Site Server Connection |
SMS_SiteSystem- ToSiteServerConnection _sitecode |
Provides site systems access to site server resources. |
Site System To SQL Server Connection |
SMS_SiteSystem- ToSSQLConnection_ sitecode |
Provides management points, server locator points, and reporting points access to the SMS site database server. |
Site To Site Connection |
SMS_SiteToSite- Connection_sitecode |
Facilitates communications between sites in an SMS hierarchy. Default members are site address accounts. |
When we talk about advanced security, we usually refer to the local system account and the computer account. Strictly speaking, the local system account is sometimes used while running standard security. However, I'm including it here to emphasize its purpose under advanced security. Table 17.7 summarizes these two accounts.
Account Type |
Account Name |
Description |
---|---|---|
Local System |
N/A |
Used to run SMS client and server processes and services. Used to run SMS Advanced Client and server processes in Advanced Security. |
Computer |
Machinename$ |
Used by SMS computers to communicate with other SMS computers. |
Like SMS 2.0, SMS 2003 running in standard security mode uses many accounts to carry out various tasks on the server and on the client. Table 17.8 summarizes these accounts.
Account Type |
Account Name |
Description |
---|---|---|
SMS Service |
SMSService by default, but also administrator's choice |
Used to run SMS site server processes and services. |
Server Connection |
SMSServer_sitecode |
Used to provide CAPs access to the site server. |
Site System Connection |
Administrator's choice |
Optional account. Used to provide sites servers access to site systems. SMS Service account is used by default. |
Remote Service |
SMSSvc_sitecode_xxxx |
Used to run the SMS Executive service on remote CAPs and the SQL Monitor service on an SMS database server that isn't the site server. |
Here's a bit more about the SMS Service account as you're likely to encounter it if you're upgrading from an SMS 2.0 site or need to maintain downward compatibility within your SMS hierarchy for a time. The SMS Service account is the primary account created by SMS in standard security mode. Site server services use this account to create shares and directories on site systems, set permissions, copy files, install services and components, and verify operation of the site system. Specifically, the SMS Executive, SMS Site Component Manager, SMS Site Backup, SMS SQL Monitor, and SMS Client Configuration Manager all use this account. The SMS Service account is created when the SMS site server is installed. By default, it's named SMSService and made a member of the local Administrators group on the site server as well as the Domain Admins and Domain Users groups in the Windows domain the site server belongs to. Because the account is a domain administrator, you should probably rename it and provide password protection with a complex password composed of alphanumeric and special characters. (Just don't forget the password.)
Tip |
One way to increase security for your Windows domain is to remove the SMS Service account from the Domain Admins group and add it directly to the local Administrators groups on the site server, the server running SQL, CAP, logon point, and software metering server. If you aren't using a Client Push Installation account, add the SMS Service account to the local Administrators group on every SMS Legacy Client as well. |
If your SMS site systems are members of trusted Windows domains, you can use the same SMS Service account throughout your site hierarchy for convenience. However, if SMS sites and site systems are in untrusted Windows domains, you must create the account separately in each domain. Although this won't be a concern with Windows 2000 or higher domains, trust relationships might well be a concern if you still need to support Windows NT 4.0 domains. For example, the SMS Service account is used to access the SMS database on the server running SQL. If the server running SQL happens to be in a different, untrusted Windows domain than the SMS site server, SMS will need to use Windows' pass-through authentication method to gain access to the server running SQL. This means that you'll need to create the SMS Service account in the domain of the server running SQL using the same account name and password that are used on the site server.
Caution |
Do not change this account through the Windows account management tools-for example, the User Manager For Domains utility in Windows NT 4.0. If you need to rename the account or change the password, do so using the Reset function of SMS Setup. This method will ensure that all the SMS services are properly updated with the changed account information. |
The SQL Server account, created by SQL Server during its installation, is used to provide SMS services with access to the SMS database and the software metering database. The type of account that's used depends on whether or not you're using Windows Authentication mode when accessing SQL Server. Recall from Chapter 2 that you need to tell SMS which security method you've enabled for SQL Server in order for SMS to establish the correct account to use.
By and large, you manage SQL Server accounts through SQL Server Enterprise Manager. If you need to change the account for SMS, first establish the account in SQL Server and then update SMS with the new account information, as shown here:
In the SMS Administrator Console, navigate to the sitecode - site name entry under Site Hierarchy.
Right-click the site entry and choose Properties from the context menu to display the Site Properties dialog box.
Select the Accounts tab, shown in Figure 17.3. In the SQL Server Account section, click Set and supply the new account name and password in the SQL Server Account dialog box.
Figure
17.3: The Accounts tab of the Site Properties dialog
box.
Choose OK to save the change and update SMS.
Here's more information about the site address accounts. The SMS Site Address account is used to establish communications between a parent site and a child site in an SMS hierarchy for the purpose of forwarding data such as discovery data records (DDRs), site control information, inventory, and packages. (Refer to Chapter 4, 'Multiple-Site Structures,' for more information about the communications process.) Although the SMS Service account can be used to accomplish this task, it's generally recommended that the SMS administrator create a separate account specifically for the purpose of intersite communications. This account can be made fairly secure as well because it need not be a member of the Domain Admins group. In fact, the account needs only Read, Write, Execute, and Delete permissions on the SMS_SITE share (SMS\Inboxes\Despoolr.box\Receive), so it could be simply a guest account with the appropriate permissions to the share.
SMS creates the SMS Server Connection account automatically during installation of the site server, and remote site systems use it to connect back to the site server to transfer information. The Inbox Manager Assistant component on CAPs uses this account to transfer client data to appropriate inboxes on the site server. The SMS Provider also uses this account to access SMS directories on the site server as well as the package definition file (PDF) store.
The SMS Server Connection account is named SMSServer_sitecode and is assigned a randomly generated password. Do not modify this account in any way. In fact, it's a best practice not to modify any account created and maintained by SMS itself.
If you change the password for the SMS Server Connection account, you can reset it by running the Reset routine through SMS Setup. However, if you delete the account, calling Reset won't restore it. Instead, you'll need to reinstall SMS.
The accounts used by SMS clients fall into three categories: those common to both the Advanced and Legacy Clients, those specific to the Advanced Client, and those specific to the Legacy Client. As you might have come to expect, the Advanced Client requires far fewer accounts than the Legacy Client does. Table 17.9 summarizes these accounts for you.
Account Type |
Account Name |
Description |
---|---|---|
Accounts Common to Advanced and Legacy Clients |
||
Client Configuration Manager (CCM) Boot Loader (Nondomain Controller) |
SMSCCMBootAcct& |
Used to install the CCM Boot Loader during installation of SMS client components on an SMS client that isn't a domain controller. |
CCM Boot Loader (Domain Controller) |
SMS#_domaincontroller |
Used to install the CCM Boot Loader during installation of SMS client components on an SMS client that's a domain controller. |
Accounts Specific to Advanced Clients |
||
Advanced Client Network Access |
Administrator's choice |
Optional account. Used by the Advanced Client when an advertised program needs to access a share on a server other than the distribution point. The account is a domain account and must have appropriate permissions on the appropriate shares. |
Accounts Specific to Legacy Clients |
||
Client Services (Domain Controller) |
SMS$_domaincontroller |
Used by SMS client services specifically on domain controllers that are also SMS clients. |
Client Service (Nondomain Controller) |
SMSCliSvcAcct& |
Used by SMS client services on domain SMS clients that aren't domain controllers. |
Client User Token (Domain Controller) |
SMSCliToknAcct& |
Used by SMS client services to execute various component functions on a domain controller installed as a Legacy Client, as well as to run advertised programs in an administrator security context when specified for a package. |
Client User Token (Nondomain Controller) |
SMSCliToknLocalAcct& |
Used by SMS client services to execute various component functions on the Legacy Client, as well as to run advertised programs in an administrator security context when specified for a package. |
Client Connection |
SMSClient_sitecode |
Used by SMS client components running on Legacy Clients to connect to CAPs and distribution points to transfer data such as inventory or client configuration updates. |
Legacy Client Software Installation |
Administrator's choice |
Optional account. Used by SMS in lieu of the SMS User Token to install an advertised program on a Legacy Client in an administrator security context when additional network access is required. |
Here's a bit more detail about the Client User Token account. When programs are executed at the Standard Client computer, they will run under the local user account's security context. Since most users are logged on as users and not as administrators, these programs will run under the local user context. Although this isn't such a big deal for non-Windows systems and for Windows 98 clients, it can be a big issue on Windows NT 4.0 and later clients because they maintain a local account database and provide more security over system modifications such as program installation. Thus, the security context poses a problem when dealing with SMS packages.
When you identify a program to SMS as requiring an administrator context to execute it, SMS uses the Client User Token account, named SMSCliToknAcct& if the client is a domain controller and SMSCliToknLocalAcct& if the client isn't a domain controller, to create a user token on the client with sufficient access to run the program. This internal account is created automatically, assigned a random password, and granted the Act As Part Of The Operating System, Log On As A Service, and Replace A Process Level Token user rights on the client. This account will be sufficient in most cases. Recall from Chapter 12, however, that if the program execution requires that the program connect to network resources other than the distribution point, the client user token account will fail because it's created as a local account rather than as a domain account. In this case you should use the SMS Legacy Client Software Installation account. (See Chapter 12 for a complete discussion of installation accounts.)
< Day Day Up > |