Microsoft KB Archive/252674
Article ID: 252674
Article Last Modified on 10/27/2006
- Microsoft Systems Management Server 2.0 Standard Edition
- Microsoft Systems Management Server 2.0 Service Pack 1
- Microsoft Systems Management Server 2.0 Service Pack 2
This article was previously published under Q252674
After Microsoft Systems Management Server (SMS) 2.0 is installed and configured, the local administrator and user who installed SMS have full access to the SMS database through the SMS Administrator console. SMS is a program that can be very useful for a help desk. For SMS to have help-desk functionality, appropriate permissions must be assigned.
SMS creates the SMS Admins local user group on the site server when it is installed. If the SMS site database and SMS provider are on another computer, SMS also creates the SMS Admins group on that computer. The SMS Administrator console runs only on a Microsoft Windows NT-based computer.
To set up an SMS Administrator console for a help-desk administrator, make sure that you perform all of the following tasks:
- Create a Help Desk Administrator global group with Windows NT User Manager for Domains.
- Add help-desk staff to this global group.
- Add the Help Desk Administrator global group to the SMS Admins local group on both the site server and on the site database server.
This allows the SMS Administrator console to connect to the SMS database. Windows NT User Manager for Domains is used to add a help-desk administrator to the SMS Admins local group. If the Help Desk Administrator global group is not added to the SMS Admins local group, the SMS Administrator console displays the following message:
- Ensure that appropriate security rights to SMS security objects (collection, package, advertisement, site, query, and status) are assigned to view data in the details pane of the SMS Administrator console. If not, those security objects cannot be expanded.
Each security object is divided into two categories, such as Classes and Instances. Each class consists of many instances. For example, collection is a class. Microsoft Windows 98 computer collection is an instance. The Security Rights menu in the SMS Administrator console is used to grant class and instance rights.
There are 12 different permissions that can apply to classes and instances:
CreateAdministratorDelete DistributeUse Remote ToolsAdvertiseRead Read ResourceModifyModify ResourceDelete ResourceView Collected Files
Create and Administrator apply only to classes. Most permissions apply to both classes and instances.
By default, the SMS snap-in offers you access to the full range of SMS functionality. You can create a customized Microsoft Management Console (MMC) to meet your organization's needs. By combining a customized console with the security permissions mentioned earlier in this section, appropriate help-desk security and functionality can be implemented.
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
200670 Customizing the Systems Management Server Administrator Console
230263 How to Create Custom MMC Snap-in Tools Using Microsoft Management Console
199869 SMS: Assigning Class and Instance Security Rights with the SMS User Wizard
Additional query words: prodsms
Keywords: kbhowto kbinfo KB252674