Article ID: 816292
Article Last Modified on 10/27/2006
APPLIES TO
- Microsoft Systems Management Server 2.0 Standard Edition
SYMPTOMS
In Systems Management Server (SMS) 2.0 Service Pack 4 (SP4) and earlier, you must have domain administrator rights to enable Windows Networking Logon Client Installation and to create SMS logon points. With these permissions, you must maintain additional high-level accounts that might present security risks. However, after logon points are created, low-level domain user rights are sufficient to successfully access the logon point for inventory and package-status reporting.
CAUSE
In SMS 2.0 SP4 and earlier, when Windows Networking Logon Client Installation is enabled, Logon Server Manager (LSM) connects to the Admin$ share of a domain controller to create the logon point directory structure. Administrative credentials are required to connect to the Admin$ share of a computer.
RESOLUTION
With SMS 2.0 Service Pack 5 (SP5), you can enable a security mode where Windows Networking Logon Client Installation no longer requires domain administrator credentials to maintain Logon Points. If the security mode is enabled, LSM will make the connection to the IPC$ share of the domain controllers to maintain the SMSLogon directory structure.
To enable the security mode, follow these steps:
- Apply SMS 2.0 Service Pack 5.0.
- Locate and then click the following registry subkey:
Set this value to 1.
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\SMS_NT_LOGON_SERVER_MANAGER\Domains\
domain\Security Mode Enabled - Use administrative credentials to create the SMSLogon folder and share on each domain controller. Set the share comment to "SMS NT logon service."
- Set the following NTFS file system permissions on the SMSlogon folder:
Account F M RX L R W S SMS Service or Site System Connection account X Users X X X
Note To simplify management of the NTFS permissions, create a domain group, grant permissions to this group, and then add SMS Service accounts or SMS Site System Connection accounts to the group.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
With Service Pack 5 (SP5) for SMS 2.0, Windows Networking Logon Client Installation no longer requires domain administrator permissions to create the logon point directory structure. SMS now connects to the IPC$ share of the server to create the logon point directory structure.
Limitations of introduced changes with security mode enabled
- You must have domain administration permissions to install Windows Networking Logon Discovery and other SMS site systems on a domain controller. This security mode applies only to Windows Networking Logon Client Installation.
- After you disable Windows Logon Installation, LSM does not automatically remove the SMSLOGON share.
- If you manually add a new logon point, and no SMS client exists on the domain controller, SMS tries to install a client and cannot. This scenario occurs because of the lack of rights. You must install the SMS client manually.
- You must manually add SMS logon scripts to the Net Logon share on the primary domain controller (PDC) or on the PDC emulator.
- You must manually edit user logon scripts.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:816290 List of security changes in Systems Management Server 2.0 Service Pack 5
For additional information about how to obtain SMS 2.0 Service Pack 5, click the following article number to view the article in the Microsoft Knowledge Base:
288239 How to obtain the latest Systems Management Server 2.0 service pack
Keywords: kbprb kbusage kbsyssettings kbsecurity kbsms200presp5fix kbfix kbbug KB816292
