Appendix C: SMS Accounts, Groups, and Passwords
To strengthen security, Systems Management Server (SMS) can use multiple accounts for different site and client functions. You can use these accounts to avoid granting domain administrative access across the network. By assigning the minimum required rights and permissions, you minimize the risk to all SMS processes if a single account’s security is breached.
Table C.1 SMS User Accounts
Account category |
Friendly name |
Interface name |
|---|---|---|
Common server and client |
Local system |
N/A |
Advanced security |
Computer |
Computername$ SiteServerComputername$ SiteSystemComputername$ |
Standard security |
SMS Service |
Administrator’s choice |
Standard security |
SMS Server Connection |
SMSServer_sitecode (can vary) |
Standard security |
Site System Connection |
Administrator’s choice |
Standard security |
Remote Service |
SMSSvc_sitecode_xxxx |
Standard security |
Site System Database |
SMS_SQL_RX_sitecode (can vary) |
Common server |
SMS Installation Account Client Push Installation Site Address |
Administrator’s choice |
IIS Accounts |
Launch IIS Process Account |
IWAM_<computername> |
IIS Accounts |
Internet Guest Account |
IUSR_<computername> |
Common database |
SQL Server or Site Database1 |
Administrator’s choice |
Common database |
Web Report Application Role |
webreport_approle |
Common database |
SMS Schema Users |
smsschm_users |
Advanced Client |
Advanced Client Network Access2 |
Administrator’s choice |
Legacy Client |
CCM Boot Loader (DC) |
SMS#_dc |
Legacy Client |
CCM Boot Loader (Non-DC) |
SMSCCMBootAcct& |
Legacy Client |
Client Services (DC) |
SMS&_dc |
Legacy Client |
Client Services (Non-DC) |
SMSCliSvcAcct& |
Legacy Client |
Client User Token (DC) |
SMSCliToknAcct& |
Legacy Client |
Client User Token (Non-DC) |
SMSCliToknLocalAcct& |
Legacy Client |
Client Connection |
SMSClient_sitecode |
Legacy Client |
Legacy Client Software Installation2 |
Administrator’s choice |
1 In the SMS Administrator console, this account is called the SQL Server account, but some documentation refers to it as the Site Database account.
2 Microsoft recommends not using these accounts if possible. See the specific section on the account for more information.
Table C.2 SMS Groups
Account name |
Group name |
Group type and location |
|---|---|---|
SMS Administrators |
SMS Admins |
Local group on SMS site server and on the remote SMS Provider computer, if used |
Site System to Site Server Connection |
SMS_SiteSystemToSiteServerConnection_ sitecode |
Local group on SMS site server |
Site to Site Connection |
SMS_SiteToSiteConnection_ sitecode |
Local group on SMS site server |
Site System to SQL Server Connection |
SMS_SiteSystemToSQLConnection_ sitecode |
Local group on Microsoft SQL Server™ |
Reporting Users |
SMS Reporting Users |
Local group on reporting point |
Internal client group |
SMSInternalCliGrp |
|
IIS Worker Process Group |
IIS_WPG |
Local group on computers running IIS |