SMS 2003 Advanced Security Checklist
This section lists requirements for advanced security to function properly. Most errors with advanced security are due to incorrect group configuration.
Verify the proper computer accounts are added to the required groups
□ |
Verify that the computer account for the site server is added to the local Administrators group for every management point, client access point, reporting point, server locator point, SMS site database server (if remote), and distribution point. |
□ |
Verify that the computer accounts for the management points, client access points, reporting points, server locator points, and the SMS site database server (if remote) are added to Site System to Site Server Connection group. |
□ |
Verify that the computer accounts for management points, server locator points, and reporting points are added to the Site System to SQL Server Connection group. |
□ |
Verify that all sites have accounts configured for site-to-site communications. |
□ |
If you have extended your Active Directory® schema, verify that the site server computer account has Full Control to the System Management container. |
Delete Accounts That Are No Longer Needed
After migrating from standard security to advanced security, delete accounts that are no longer needed.
Environments with no Legacy Clients
Always delete the following accounts if you have no Legacy Clients and have migrated to advanced security.
SMS Service account
CCM Boot Loader (DC) (SMS#_dc)
CCM Boot Loader (Non-DC)( SMSCCMBootAcct&)
Client Services (DC) (SMS&_dc)
Client Services (Non-DC) (SMSCliSvcAcct&)
Client User Token (DC) (SMSCliToknAcct&)
Client User Token (Non-DC) (SMSCliToknLocalAcct&)
Client Connection (SMSClient_sitecode)
Legacy Client Software Installation
Internal client group (SMSInternalCliGrp)
Sometimes you can delete the following accounts.
Site System Database (SMS_SQL_RX_sitecode), if all of the following conditions are true:
You have a secondary site running in standard security.
The secondary site uses a proxy management point.
You have not configured an alternate account to access the parent site SMS site database server.
Server Connection (SMSServer_sitecode), if your SMS site database is on the site server. If the SMS provider is installed on a remote computer running Microsoft® SQL Server™, deleting the SMSServer_sitecode account could prevent the site server from accessing the SMS site database server. For more information, search on "Transitioning from Standard Security to Advanced Security Might Fail" in the SMS 2003 Operations Release Notes.
Do not delete the following groups.
SMS Administrators (SMS Admins)
Reporting Users (SMS Reporting Users)
Site System to Site Server Connection (SMS_SiteSystemToSiteServerConnection_sitecode)
Site System to SQL Server Connection (SMS_SiteSystemToSQLConnection_sitecode)
Site to Site Connection (SMS_SiteToSiteConnection_sitecode)
Do not delete the following accounts if they are in use:
Client Push Installation account
Advanced Client Network Access account
Site Address accounts that have not been replaced with computer accounts
Environments with Legacy Clients
Note
Running the Legacy Client is not considered a secure configuration.
Always delete the following accounts after migrating to advanced security.
SMS Service account
Site System Database (SMS_SQL_RX_sitecode)
Sometimes you can delete the following accounts.
Site System Database (SMS_SQL_RX_sitecode), if all of the following conditions are true:
You have a secondary site running in standard security.
The secondary site uses a proxy management point.
You have not configured an alternate account to access the parent site SMS site database server.
Server Connection (SMSServer_sitecode), if your SMS site database is on the site server. If the SMS provider is installed on a remote computer running Microsoft® SQL Server™, deleting the SMSServer_sitecode account could prevent the site server from accessing the SMS site database server. For more information, search on "Transitioning from Standard Security to Advanced Security Might Fail" in the SMS 2003 Operations Release Notes.
Do not delete the following groups.
SMS Administrators (SMS Admins)
Reporting Users (SMS Reporting Users)
Site System to Site Server Connection (SMS_SiteSystemToSiteServerConnection_sitecode)
Site System to SQL Server Connection (SMS_SiteSystemToSQLConnection_sitecode)
Site to Site Connection (SMS_SiteToSiteConnection_sitecode)
Do not delete the following accounts on used by the SMS site:
Client Connection (SMSClient_sitecode)
Client Push Installation, if used
Advanced Client Network Access, if used
Site Address accounts
Legacy Client Software Installation
Site Address accounts that have not been replaced with computer accounts
Do not delete the following accounts used on Domain Controllers running Legacy Clients:
CCM Boot Loader (DC) (SMS#_dc)
Client Services (DC) (SMS&_dc)
Client User Token (DC) (SMSCliToknAcct&)
Internal client group (SMSInternalCliGrp)
Do not delete the following accounts used on all other Legacy Clients:
CCM Boot Loader (Non-DC)( SMSCCMBootAcct&)
Client Services (Non-DC) (SMSCliSvcAcct&)
Client User Token (Non-DC) (SMSCliToknLocalAcct&)