Microsoft KB Archive/252674

From BetaArchive Wiki
Knowledge Base

Article ID: 252674

Article Last Modified on 10/27/2006


  • Microsoft Systems Management Server 2.0 Standard Edition
  • Microsoft Systems Management Server 2.0 Service Pack 1
  • Microsoft Systems Management Server 2.0 Service Pack 2

This article was previously published under Q252674


After Microsoft Systems Management Server (SMS) 2.0 is installed and configured, the local administrator and user who installed SMS have full access to the SMS database through the SMS Administrator console. SMS is a program that can be very useful for a help desk. For SMS to have help-desk functionality, appropriate permissions must be assigned.


SMS creates the SMS Admins local user group on the site server when it is installed. If the SMS site database and SMS provider are on another computer, SMS also creates the SMS Admins group on that computer. The SMS Administrator console runs only on a Microsoft Windows NT-based computer.

To set up an SMS Administrator console for a help-desk administrator, make sure that you perform all of the following tasks:

  • Create a Help Desk Administrator global group with Windows NT User Manager for Domains.
  • Add help-desk staff to this global group.
  • Add the Help Desk Administrator global group to the SMS Admins local group on both the site server and on the site database server.

    This allows the SMS Administrator console to connect to the SMS database. Windows NT User Manager for Domains is used to add a help-desk administrator to the SMS Admins local group. If the Help Desk Administrator global group is not added to the SMS Admins local group, the SMS Administrator console displays the following message:

    Connection Failed

  • Ensure that appropriate security rights to SMS security objects (collection, package, advertisement, site, query, and status) are assigned to view data in the details pane of the SMS Administrator console. If not, those security objects cannot be expanded.

Each security object is divided into two categories, such as Classes and Instances. Each class consists of many instances. For example, collection is a class. Microsoft Windows 98 computer collection is an instance. The Security Rights menu in the SMS Administrator console is used to grant class and instance rights.

There are 12 different permissions that can apply to classes and instances:

CreateAdministratorDelete DistributeUse Remote ToolsAdvertiseRead Read ResourceModifyModify ResourceDelete ResourceView Collected Files

Create and Administrator apply only to classes. Most permissions apply to both classes and instances.

By default, the SMS snap-in offers you access to the full range of SMS functionality. You can create a customized Microsoft Management Console (MMC) to meet your organization's needs. By combining a customized console with the security permissions mentioned earlier in this section, appropriate help-desk security and functionality can be implemented.


For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

200670 Customizing the Systems Management Server Administrator Console

230263 How to Create Custom MMC Snap-in Tools Using Microsoft Management Console

199869 SMS: Assigning Class and Instance Security Rights with the SMS User Wizard

Additional query words: prodsms

Keywords: kbhowto kbinfo KB252674