SMS Object Rights
You have several options available to change SMS object rights:
Change the class and instance rights directly
Use the SMS User Wizard
Use the Clone SMS User dialog box
Use scripts (see Appendix C: “Scripting SMS Operations” in the Microsoft Systems Management Server 2003 Operations Guide.)
Note
Copying the rights from one user to another can be very time consuming. The SMS Administrator console can be unusable during that time. To avoid this problem, do not copy instances rights from the other user if the class rights are sufficient.
Important
In some cases you can remove the SMS rights for the LocalSystem account - NT Authority\SYSTEM. You should not remove those rights. This version of SMS does not use those rights, but future versions or tools might require those rights.
Changing class and instance rights directly
You can directly change class and instance rights for SMS objects in the SMS Administrator console in two ways:
Right-click an object (such as a collection), click Properties, and then click the Security tab. Change the rights as necessary.
Right-click Security Rights, select New, and then click Class Security Right or Instance Security Right. Or select Security Rights, right-click the appropriate right, and click Properties. Change the rights as necessary.
Note
When granting rights by using the Delegate right, you can only grant rights that you have. In the SMS Administrator console, rights that you cannot grant are indicated with a lock icon.
Security Rights can have many entries, especially in an SMS site that has been in production for some time. To filter the entries displayed, right-click Security Rights, and then click Properties. Clear any entry you do not want to see.
Important
The permissions filter continues to be effective until you change it. This could cause confusion at a later date when you return to the Security Rights node and do not see all the permission entries. To avoid that problem, include all the permissions on the filter when you are done working with permissions.
Using the SMS User Wizard
To facilitate the addition of SMS object security rights to users or groups, you can use the SMS User Wizard. To use the SMS User Wizard, navigate to the Security Rights node in the SMS Administrator console.
Systems Management Server Site Database (site code - site name) Security Rights
Right-click the Security Rights node, click All Tasks, and then select Manage SMS Users.
The SMS User Wizard allows you to modify an existing user, add a new user, or remove an existing user. When adding a new user or modifying a current user, you can modify rights individually or copy them from another user. Repeat these steps as needed.
The SMS User Wizard automatically adds new SMS administrators to the SMS Admins group.
Important
When adding a new user, SMS might display the following message: “SMS is unable to verify that the name you entered is an existing Windows user or user group account.” This might occur because of a typing error, an underlying problem that prevents the wizard from verifying the account, or because the account is a local user group. All accounts granted SMS object security permissions must have access to the SMS WMI namespace. You can give accounts access to the SMS WMI namespace by putting the accounts in the SMS Admins local group. Local groups cannot be added to local groups. Therefore you must manually provide the WMI rights to a local group so that it can access the SMS WMI namespace.
Cloning SMS Users
If you want to add a user with the same rights as a current user, you can clone SMS the current user’s permissions. To clone an SMS user, navigate to the Security Rights node in the SMS Administrator console.
Systems Management Server Site Database (site code - site name) Security Rights
Then right-click the current user, click All Tasks, and select Clone SMS User. However, the Clone SMS User Wizard does not put the new account into the SMS Admins group. You must do that manually.