Step 1b: Granting Permissions for Administrators to Install MDM
2/9/2009
This section shows you how to add users to the MDM Server Administrators group. All users whom you add to this group will be able to install MDM components and administer the MDM architecture.
MDM server administrator credentials will allow you to perform the MDM install. However, to perform other device operations such as device management configuration and device wipe, you may need to belong to the following groups:
SCMDMDeviceAdmins (<instance name>)
SCMDMDeviceSupport (<instance name>)
SCMDMHelpdeskOperator (<instance name>)
SCMDMReadOnlyUsers (<instance name>)
Important
After you add a member to a group, you may need to log off the server to refresh your Active Directory credentials.
To view the administrator groups and folders, in Active Directory Users and Computers, choose the View tab, and then choose the Advanced Features option. MDM with Service Pack 1 introduces the MDM Security Administrators group (SCMDMSecurityAdmins (<instance name>)). The MDM Security Administrators group has the credentials to add or remove members to and from all other MDM groups. By default, the Domain Administrators group is added to the MDM Security Administrators group and the MDM Server Administrators group.
Note
If you do not want the Domain Administrators group to be a member of the MDM Security Administrators group and the MDM Server Administrators group, you can remove it from them. Also, if you do not want to increase the number of groups to which the Domain Administrator belongs, you may remove it from the MDM Security Administrators group and the MDM Server Administrators group. If a user is a member of too many groups, he or she might be unable to access network shares. For more information on this issue, see "Error message: During a logon attempt, the user's security context accumulated too many security IDs" at the Microsoft Help and Support Web site: https://go.microsoft.com/fwlink/?LinkId=127846.
It is highly recommended that you use accounts belonging to the MDM Security Administrators group to delegate MDM group roles, such as adding and removing members to other MDM security groups. This may help increase security and management of the MDM groups and user accounts in your MDM installation. The following procedures will instruct you on how to add a user to the MDM Security Administrators group. Then you will use that role to assign an account to the MDM Server Administrators Group.
As a security best practice, you should monitor the accounts added to each MDM group. For a list of MDM group roles including the SCMDMSecurityAdmins (<instance name>) group, see ADConfig Tool. Also for more information on MDM group roles and permissions, see Security and Protection for Mobile Device Manager.
To add an account to the MDM Security Administrators Group
In Active Directory Users and Computers, on the View tab, choose Advanced Features.
Open the Users folder.
Right-click SCMDMSecurityAdmins (<instance name>) and then select Properties.
Choose the Members tab and then choose Add.
Note
You should be a domain administrator or equivalent to add a member to the MDM Security Administrators Group.
Type the name of the account that you want to add as an MDM security administrator.
Choose OK two times to close the dialog box.
Log off the server, and then log on again to refresh the Active Directory credentials.
To add an account to the MDM Server Administrators Group
Using an account with MDM Security Administrator group privileges, in Active Directory Users and Computers, on the View tab, choose Advanced Features.
Open the Users folder.
Right-click SCMDMServerAdmins (<instance name>) and then select Properties.
Choose the Members tab and then choose Add.
Note
You should be a member of the MDM Security Administrators Group to add a user to the MDM Security Administrators Group.
Type the name of the account that you want to add as an MDM administrator.
Choose OK two times to close the dialog box.
Log off the server, and then log on again to refresh the Active Directory credentials.