SMS 2003 Advanced Security Checklist

  • Article

This section lists requirements for advanced security to function properly. Most errors with advanced security are due to incorrect group configuration.

Verify the proper computer accounts are added to the required groups

Verify that the computer account for the site server is added to the local Administrators group for every management point, client access point, reporting point, server locator point, SMS site database server (if remote), and distribution point.

Verify that the computer accounts for the management points, client access points, reporting points, server locator points, and the SMS site database server (if remote) are added to Site System to Site Server Connection group.

Verify that the computer accounts for management points, server locator points, and reporting points are added to the Site System to SQL Server Connection group.

Verify that all sites have accounts configured for site-to-site communications.

If you have extended your Active Directory® schema, verify that the site server computer account has Full Control to the System Management container.

Delete Accounts That Are No Longer Needed

After migrating from standard security to advanced security, delete accounts that are no longer needed.

Environments with no Legacy Clients

Always delete the following accounts if you have no Legacy Clients and have migrated to advanced security.

  • SMS Service account

  • CCM Boot Loader (DC) (SMS#_dc)

  • CCM Boot Loader (Non-DC)( SMSCCMBootAcct&)

  • Client Services (DC) (SMS&_dc)

  • Client Services (Non-DC) (SMSCliSvcAcct&)

  • Client User Token (DC) (SMSCliToknAcct&)

  • Client User Token (Non-DC) (SMSCliToknLocalAcct&)

  • Client Connection (SMSClient_sitecode)

  • Legacy Client Software Installation

  • Internal client group (SMSInternalCliGrp)

Sometimes you can delete the following accounts.

  • Site System Database (SMS_SQL_RX_sitecode), if all of the following conditions are true:

    1. You have a secondary site running in standard security.

    2. The secondary site uses a proxy management point.

    3. You have not configured an alternate account to access the parent site SMS site database server.

  • Server Connection (SMSServer_sitecode), if your SMS site database is on the site server. If the SMS provider is installed on a remote computer running Microsoft® SQL Server™, deleting the SMSServer_sitecode account could prevent the site server from accessing the SMS site database server. For more information, search on "Transitioning from Standard Security to Advanced Security Might Fail" in the SMS 2003 Operations Release Notes.

Do not delete the following groups.

  • SMS Administrators (SMS Admins)

  • Reporting Users (SMS Reporting Users)

  • Site System to Site Server Connection (SMS_SiteSystemToSiteServerConnection_sitecode)

  • Site System to SQL Server Connection (SMS_SiteSystemToSQLConnection_sitecode)

  • Site to Site Connection (SMS_SiteToSiteConnection_sitecode)

Do not delete the following accounts if they are in use:

  • Client Push Installation account

  • Advanced Client Network Access account

  • Site Address accounts that have not been replaced with computer accounts

Environments with Legacy Clients

Note

Running the Legacy Client is not considered a secure configuration.

Always delete the following accounts after migrating to advanced security.

  • SMS Service account

  • Site System Database (SMS_SQL_RX_sitecode)

Sometimes you can delete the following accounts.

  • Site System Database (SMS_SQL_RX_sitecode), if all of the following conditions are true:

    1. You have a secondary site running in standard security.

    2. The secondary site uses a proxy management point.

    3. You have not configured an alternate account to access the parent site SMS site database server.

  • Server Connection (SMSServer_sitecode), if your SMS site database is on the site server. If the SMS provider is installed on a remote computer running Microsoft® SQL Server™, deleting the SMSServer_sitecode account could prevent the site server from accessing the SMS site database server. For more information, search on "Transitioning from Standard Security to Advanced Security Might Fail" in the SMS 2003 Operations Release Notes.

Do not delete the following groups.

  • SMS Administrators (SMS Admins)

  • Reporting Users (SMS Reporting Users)

  • Site System to Site Server Connection (SMS_SiteSystemToSiteServerConnection_sitecode)

  • Site System to SQL Server Connection (SMS_SiteSystemToSQLConnection_sitecode)

  • Site to Site Connection (SMS_SiteToSiteConnection_sitecode)

Do not delete the following accounts on used by the SMS site:

  • Client Connection (SMSClient_sitecode)

  • Client Push Installation, if used

  • Advanced Client Network Access, if used

  • Site Address accounts

  • Legacy Client Software Installation

  • Site Address accounts that have not been replaced with computer accounts

Do not delete the following accounts used on Domain Controllers running Legacy Clients:

  • CCM Boot Loader (DC) (SMS#_dc)

  • Client Services (DC) (SMS&_dc)

  • Client User Token (DC) (SMSCliToknAcct&)

  • Internal client group (SMSInternalCliGrp)

Do not delete the following accounts used on all other Legacy Clients:

  • CCM Boot Loader (Non-DC)( SMSCCMBootAcct&)

  • Client Services (Non-DC) (SMSCliSvcAcct&)

  • Client User Token (Non-DC) (SMSCliToknLocalAcct&)