Managing Advanced Security Accounts

  • Article

Advanced security supports and requires very few accounts. To effectively plan and manage SMS security, it is essential to understand administrative actions required to manage SMS accounts. This section assumes you are using SQL Server with Windows Authentication, which is recommended.

Advanced security always uses the following accounts:

Local System

Computer (computername$)

If you install clients by using Client Push Installation, you must create a Client Push Installation Account with administrative rights on the target clients. In advanced security, there is no SMS Service account to fall back to for Client Push Installation, and the site server computer account cannot be used for Client Push Installation.

Note

If you plan to use Client Push Installation to deploy the Advanced Client to computers that are members of Windows NT 4.0 domains, and there will be no user logged on locally to the target system, you must also create the Advanced Client Network Access account.

Verify the Proper Computer Accounts Have All Necessary Permissions

Advanced security requires fewer accounts, but requires more administrative action to provide the appropriate security environment. Requiring administrative intervention provides checks and balances for secure SMS account administration.

The following section is not so much best practices as it is requirements for advanced security to function properly. Most errors with advanced security are due to incorrect group configuration.

Verify that the computer accounts for the management points, client access points, reporting points, server locator points, and the SMS site database server (if remote) are added to Site System to Site Server Connection group

When you upgrade a standard security site to advanced security, SMS automatically adds the computer accounts for the client access point (CAP), management point, and SMS site database server (if remote) to the Site System to Site Server Connection group. You must manually add the reporting points and server locator points. Do not add distribution points to this group.

Verify that all sites have accounts configured for site-to-site communications

If you are migrating from standard security to advanced security, the existing Site Address Accounts still function. If you later decide you want to use the computer account as the Site Address Account, verify that the computer account of the sending computer is a member of the Site to Site Connection group on the receiving computer. A child site sends only to the parent site, but a parent site might initiate site-to-site communications with a child or grandchild site and require membership in the Site to Site Connection group on grandchild sites.

Important

If you specify a domain user account as the Site Address account and then later decide you want to use the computer account as the Site Address account, you must delete the address and recreate it. Changing the account name is not sufficient when switching from a user account to the computername$ account.

Verify that the computer account for the site server is added to the local Administrators group for every management point, client access point, reporting point, server locator point, SMS site database server (if remote), and distribution point.

If you are using Windows Server 2003, you can add computer accounts to groups by using the graphic user interface. If you are using Windows 2000 Server, you can add a computer account to a local group or local domain group only by using the command prompt. For the procedures, see “Adding Computer Accounts to Groups” in Appendix E: “Appendix E: SMS Security Procedures.”

Verify that the computer accounts for your management points, server locator points, and reporting points are added to the Site System to SQL Server Connection group

In advanced security only, SMS attempts to automatically add the computer accounts for the management point and server locator point to the Site System to SQL Server Connection group when you enable the management point and server locator point site systems at a site. If the site server computer account does not have administrative rights to the server running SQL Server, you must manually add the accounts to the group. This commonly occurs when secondary site servers are not administrators on the parent site server’s SMS site database server.

Grant the site server computer account permissions to publish in Active Directory (applies only if you have extended your Active Directory schema)

If you installed SMS using standard security and extended your schema, you should have already granted the SMS Service account full control permissions to the System Management container and all child objects in Active Directory. After migrating the site to advanced security, you will need to remove the access control list (ACL) for the SMS Service account and grant full control to the site server computer account to the System Management container and all child objects.

If you have already extended your schema and you installed SMS using advanced security, you will have already granted the site server computer account full control permissions to the System Management container in Active Directory. SMS will not be able to publish information to Active Directory until appropriate permissions are granted.

For specific procedures to extend the schema and grant the necessary publishing permissions in Active Directory, see the Active Directory Schema Modification and Publishing for Systems Management Server 2003 white paper (https://go.microsoft.com/fwlink/?linkid=24970) on the Microsoft Download site.

After Migrating from Standard Security to Advanced Security, Delete Accounts that Are No Longer Needed (Advanced Client Environment)

Migrating a site to advanced security does not cause the standard security accounts to be deleted automatically because clients, or other sites, might need them. You can remove the accounts when you are certain they are not being used anymore.

Caution

This list assumes there are no Legacy Clients in the site and directs you to remove all Legacy Client accounts. If you have Legacy Clients, see After Migrating to Advanced Security, Delete Security Accounts that Are No Longer Needed (Legacy Client Environment) in Appendix D: “Appendix D: Legacy Client Security Environment.”

Always delete

  • SMS Service account

  • CCM Boot Loader (DC) (SMS#_dc)

  • CCM Boot Loader (Non-DC)( SMSCCMBootAcct&)

  • Client Services (DC) (SMS&_dc)

  • Client Services (Non-DC) (SMSCliSvcAcct&)

  • Client User Token (DC) (SMSCliToknAcct&)

  • Client User Token (Non-DC) (SMSCliToknLocalAcct&)

  • Client Connection (SMSClient_sitecode)

  • Legacy Client Software Installation

  • Internal client group (SMSInternalCliGrp)

Sometimes delete

  • Site System Database (SMS_SQL_RX_sitecode)    Do not delete this account if all of the following conditions are true:

    • You have a secondary site running in standard security.

    • The secondary site uses a proxy management point.

    • You have not configured an alternate account to access the parent site’s SMS site database server.

  • Server Connection (SMSServer_sitecode)     ** Delete this account if your SMS site database is on the site server. In SMS 2003 (without SP1), if the SMS provider is installed on a remote computer running SQL Server, deleting the SMSServer_sitecode account could prevent the site server from accessing the SMS site database server. *SP This is no longer true after upgrading to SMS 2003 SP1 . *SP For more information, search on “Transitioning from Standard Security to Advanced Security Might Fail” in the SMS 2003 Operations Release Notes on Microsoft TechNet.

Do not delete

  • The following groups:

    • SMS Administrators (SMS Admins)

    • Reporting Users (SMS Reporting Users)

    • Site System to Site Server Connection (SMS_SiteSystemToSiteServerConnection_sitecode)

    • Site System to SQL Server Connection (SMS_SiteSystemToSQLConnection_sitecode)

    • Site to Site Connection (SMS_SiteToSiteConnection_sitecode)

  • The following accounts:

    • Client Push Installation account (unless your need for the account has changed)

    • Advanced Client Network Access account (unless your need for the account has changed)

    • Any Site Addres accounts that you have added to SMS_SiteToSiteConnection_sitecode, unless you have already replaced them with computer accounts.