Creating or Modifying SMS Accounts and Groups

  • Article

Following are procedures for creating and changing the SMS accounts that can be managed by an administrator.

SMS 2003 accounts are always created at the nearest domain controller, and then replicated to the other domain controllers using the replication process of Windows NT 4.0, Windows 2000, or Windows Server 2003 family operating systems.

On This Page

Creating or Modifying the Client Push Installation Account
Creating or Modifying the Site Address Account
Creating or Modifying the SQL Server Account
Creating or Modifying the Management Point or Server Locator Point Database Accounts
Creating or Modifying the SMS Service Account
Creating or Modifying the Site System Connection Account
Creating or Modifying the Advanced Client Network Access Account
Creating or Modifying the Client Connection Account
Creating or Modifying the Legacy Client Software Installation Account

Creating or Modifying the Client Push Installation Account

The Client Push Installation Account does not have to be a member of the Domain Admins group, but it must have local administrative credentials on the computers where the SMS client software are installed.

To create or modify the Client Push Installation Account

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers:

    Create a new Client Push Installation Account

    - or -

    If you have already created a Client Push Installation Account that you want to modify, then modify the name or password, or both, of the existing account.

  2. In the SMS Administrator console, navigate to the site where you want to specify the Client Push Installation Account, or whose account you want to change.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name >Site Settings>Client Installation Methods

  3. Right-click Client Push Installation in the results pane, and then click Properties.

  4. In the Site Properties dialog box, click the Accounts tab, and then click the new account icon. You can repeat this step and step 5.

  5. In the Windows User Account dialog box:

    Specify the name and password of the new Client Push Installation Account that you created.

    - or -

    If you have already created a Client Push Installation Account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

Creating or Modifying the Site Address Account

The Site Address Account is used to establish communications and transfer data between parent and child sites. Parent sites use this account to transfer administrative data (such as package or collection data) to the child. Child sites use this account to transfer data (such as inventory data, discovery records, or status messages) to the parent site.

For standard security sites, you must specify a Site Address Account for each sender address when you create addresses for other sites. This account must have Read, Write, Execute, and Delete rights on the SMS\Inboxes\Despoolr.box\Receive folder on the destination site server. Advanced security sites use the site server's computer account if a Site Address Account is not set.

Important:

  • If you specify a Site Address Account for an address and then later decide you want to use the computer account as the Site Address Account, you must delete the address and recreate it. You cannot only change the address to use the computer account as the Site Address Account.

You create each Site Address Account in both Windows NT User Manager for Domains or Active Directory Users and Computers and in the SMS Administrator console. If you modify this account, you must modify it in both locations, as well.

To create or modify the Site Address Account

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers:

    Create a new Site Address Account.

    - or -

    If you have already created a Site Address Account that you want to modify, then modify the name or password, or both, of the existing account.

  2. In the SMS Administrator console, navigate to Addresses.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name >Site Settings>Addresses

  3. Click Addresses.

  4. Right-click the address whose site address account you want to change, and then click Properties.

  5. In the Address Properties dialog box, click the General tab, and then click Set.

  6. In the Windows Account dialog box:

    Specify the name and password of the new Site Address account you created.

    - or -

    If you have already created a Site Address Account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

Note:

  • This account must be known to the destination site server that you specified on the General tab in the Address Properties dialog box. For SMS 2003 destination sites, the account should be added to the SMS_SiteToSiteConnection_sitecode group on the destination site server.

Creating or Modifying the SQL Server Account

For ease of administration, if you have to change the password or the user account for the SQL Server Account, you can use the SMS Administrator console or site reset.

To create or modify the user account for the SQL Server account using the SMS Administrator console

  1. In SQL Server Enterprise Manager:

    Create a new user account for the SQL Server account.

    - or -

    If you have already created a user account that you want to modify, then modify the name or password (or both) of the existing account.

  2. In the SMS Administrator console, navigate to the SMS site whose user account you want to specify or change.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name

  3. Right-click the site, and then click Properties.

  4. In the Site Properties dialog box, click the Accounts tab, and then click Set.

  5. In the SQL Server Account dialog box, specify an existing SQL Server account and password.

  6. Specify the name and password of the new user account that you created in SQL Server Enterprise Manager.

    - or -

    If you have already created a user account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

For higher reliability, use site reset to change the password for the SQL Server account. If your organization has geographically dispersed sites, you can perform this change without traveling to each site server by using SMS software distribution or Remote Tools.

To modify the user account for the SQL Server account using site reset

  1. In SQL Server Enterprise Manager, modify the name or password, or both, of the existing user account for the SQL Server account.

  2. Start the SMS Setup Wizard.

  3. In the Setup Options page, click Modify or reset the current installation.

  4. In the Integrated Security for SMS Site Database page, modify the user account to use the same password and name that you specified in step 1.

Creating or Modifying the Management Point or Server Locator Point Database Accounts

Creating or modifying the SQL Server management point or server locator point database accounts is much the same as creating or modifying the SQL Server account.

Note:

  • Some time might elapse between setting a new SQL Server account in the SMS Administrator console and all relevant site systems starting to use that account. Typically, this would be in the range of minutes, about 2 to 15 minutes. If you want the site system functionality to be available while the accounts are changed, keep the old account valid until all site systems have had a chance to receive the new account details.

Creating or Modifying the SMS Service Account

Multiple sites and domains can share the SMS Service Account if you configure appropriate trust relationships and group inclusion, and if you specify the same domain name and account name for this account on the appropriate site servers. However, if more than one site shares the SMS Service Account, and you plan to change the account password, create a second account to avoid lockouts.

SMS 2.0 creates the SMS Service Account during site setup, using the account name and password that you specify in the SMS Setup Wizard. To modify the SMS Service Account, you can use Windows NT User Manager for Domains or Active Directory Users and Computers and site reset or Windows NT User Manager for Domains or Active Directory Users and Computers and the SMS Administrator console.

If you must change the password for the SMS Service Account, you can use the operating system tools to change the password and use the SMS Administrator console to make it effective, rather than doing a site reset.

The SMS Service Account must have administrative credentials on the site server and the Log on as a service right. If the account you specify does not have sufficient credentials, the previous SMS Service Account is used by the site, but the SMS Administrator console displays the account you specified.

To create or modify the SMS Service Account using the SMS Administrator console

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers:

    Create a new SMS Service Account.

    - or -

    If you have already created an SMS Service Account that you want to modify, then modify the name or password, or both, of the existing account.

  2. In the SMS Administrator console, navigate to the site whose SMS Service Account you want to specify or change.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name

  3. Right-click the site, and then click Properties.

  4. In the Site Properties dialog box, click the Accounts tab, and then click Set.

  5. In the Windows Account dialog box:

    Specify the name and password of the new SMS Service Account that you created in the operating system.

    - or -

    If you have already created an SMS Service Account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

For higher reliability, use site reset to change the password for the SMS Service Account.

To modify the SMS Service Account using site reset

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers, modify the name or password, or both, of the existing account.

  2. Start the SMS Setup Wizard.

  3. On the Setup Options page, click Modify or reset the current installation.

  4. In the SMS Service Account Information page, modify the account to use the same password and name that you specified in step 1.

Creating or Modifying the Site System Connection Account

To enhance security, specify that the Site System Connection Account be used by services that run on the site server to connect to site systems. If you do not create this account, the SMS Service Account is used instead.

To create or modify the Site System Connection Account

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers:

    Create a new Site System Connection Account.

    - or -

    If you have already created a Site System Connection Account that you want to modify, then modify the name or password, or both, of the existing account.

  2. In the SMS Administrator console, navigate to Site System.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name >Site Settings>Connection Accounts>Site Systems

  3. Right-click Site System, point to New, and then click Windows User Account.

  4. In the Connection Account Properties dialog box, click Set.

  5. In the Windows User Account dialog box:

  6. Specify the name and password of the new Site System Connection Account that you created using the operating system tool.

    - or -

    If you have already created a Site System Connection Account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

Creating or Modifying the Advanced Client Network Access Account

Advanced Clients can use the Advanced Client Network Access Account to access network shares on servers that are not SMS.

To avoid account lockouts, do not change the password on an existing Advanced Client Network Access Account. You should create a new account and set SMS to use that account. When sufficient time has passed for all clients to have received the new account's details, the old account can be removed from the network shares and deleted.

To create or modify an Advanced Client Network Access Account

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers:

    Create a new Advanced Client Network Access Account.

    - or -

    If you have already created Advanced Client Network Access Account that you want to modify, then modify the name or password, or both, of the existing account.

  2. In the SMS Administrator console, navigate to Component Configuration.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name >Site Settings>Component Configuration

  3. Click Component Configuration.

  4. In the details pane, right-click Software Distribution, and then click Properties.

  5. In the Software Distribution Properties dialog box, click the General tab, and then click Set in the Advanced Client Network Access Account box.

  6. In the Windows User Account dialog box:

    Specify the name and password of the new Advanced Client Network Access Account that you created in the operating system.

    - or -

    If you have already created an Advanced Client Network Access Account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

Creating or Modifying the Client Connection Account

SMS creates and maintains a local SMS Client Connection Account (SMSClient_sitecode) for each CAP, but for enhanced security, site integrity, and fault tolerance, it is recommended that you create additional accounts. If clients must access CAPs in multiple domains, this account must be granted adequate permissions to the CAP residing in the other domains or additional accounts must be created. It is recommended that you create additional accounts.

To create or modify the SMS Client Connection Account

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers:

    Create a new SMS Client Connection Account.

    - or -

    If you have already created an SMS Client Connection Account that you want to modify, then modify the name or password, or both, of the existing account.

  2. In the SMS Administrator console, navigate to Client.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name >Site Settings>Connection Accounts>Client

  3. Right-click Client, point to New, and then click Windows.

  4. In the Connection Account Properties dialog box, click Set.

  5. In the Windows Account dialog box:

    Specify the name and password of the new SMS Client Connection Account that you created.

    - or -

    If you have already created an SMS Client Connection Account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

When creating additional SMS Client Connection Accounts, ensure that multiple accounts are valid for each domain that clients are in. You do not realize the benefits of having multiple accounts until every client has multiple valid accounts available. For example, if you create four SMS Client Connection Accounts, but each account is valid for clients in only one domain, then the clients in other domains can still become locked out.

You can use the following procedure to ensure that two valid client connection accounts are maintained at all times. Implement this procedure in every domain that has a client connection account used by clients in the site. The following procedure describes how to create three new client connection accounts, and then cycle the creation of additional new accounts and the deletion of old accounts. By creating three new accounts, adding a new account and then deleting an old account, you ensure that two valid accounts remain available during account maintenance - the newer account and the older account. The older account helps ensure that clients who have been offline for a longer time and then return online have a valid account and password.

Note:

  • The time between a cycle of adding and deleting accounts in a three account cycle should be one-third of the maximum password age set in the operating system. In this procedure, the time between cycles of adding and deleting accounts is two weeks (one-third of the default 42-day maximum password age).

To cycle SMS Client Connection Accounts

  1. Start User Manager for Domains or Active Directory Users and Computers and create the following three accounts:

    • SMSClient_00001

    • SMSClient_00002

    • SMSClient_00003

    (Use the format SMSClient_XXXXX when you name your accounts to ensure sufficient account capacity.)

  2. In the SMS Administrator console, create the same three accounts.

    For information about creating SMS Client Connection Accounts in the SMS Administrator console, see the Systems Management Server Administrator Help.

  3. Two weeks after you create the first three accounts, create a fourth account (SMSClient_00004) in User Manager for Domains or Active Directory Users and Computers and in the SMS Administrator console.

  4. Delete the oldest account (SMSClient_00001) from User Manager for Domains or Active Directory Users and Computers and from the SMS Administrator console.

  5. Two weeks after you delete the oldest account, add a new account (SMSClient_00005) to User Manager for Domains or Active Directory Users and Computers and the SMS Administrator console.

  6. Delete the oldest account (SMSClient_00002) from User Manager for Domains or Active Directory Users and Computers and from the SMS Administrator console.

Continue this cycle every two weeks by adding a new account with an incremented number in the account name (SMSClient_0001, SMSClient_0002, and so on) and by deleting the oldest account in the series. Remember to add and delete the account in both User Manager for Domains or Active Directory Users and Computers and the SMS Administrator console.

Creating or Modifying the Legacy Client Software Installation Account

All mentions of the word client in this section refer to the Legacy Client. You can create the Legacy Client Software Installation Account to provide a security context that might be required by certain advertised programs when they run on Legacy Client computers. When you configure the software distribution component, you can specify an account for programs to use on clients that are running Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003 family operating systems when no user is logged on. This account is only required when an advertised program must have access to a network resource that is not managed by SMS and is not accessible to the account that the program is running under (either the currently logged on user or the Client User Token Account).

The account can be created anywhere, but the client must be able to find the domain where the account resides. The account does not work if the client cannot find it, and if the client fails to find the correct account, account lockouts could result.

There is no requirement to make this account an administrative account. It must have sufficient network privileges to complete the program requirements. If the account is not an administrative account, either directly or indirectly through group membership, the Advertise Programs Manager temporarily adds it directly to the local Administrators group before running the program.

You create the Client Software Installation Account in both Windows NT User Manager for Domains or Active Directory Users and Computers and in the SMS Administrator console. If you change the password for this account, you must also change it in both locations.

To create or modify a Legacy Client Software Installation Account

  1. In Windows NT User Manager for Domains or Active Directory Users and Computers:

    Create a new Client Software Installation Account.

    - or -

    If you have already created a Legacy Client Software Installation Account that you want to modify, then modify the name or password, or both, of the existing account.

  2. In the SMS Administrator console, navigate to Component Configuration.

    Where?

    Systems Management Server > Site Database (site code - site name) >Site Hierarchysite code - site name >Site Settings>Component Configuration

  3. Click Component Configuration.

  4. In the details pane, right-click Software Distribution, and then click Properties.

  5. In the Software Distribution Properties dialog box, click the General tab, and then click Set in the Legacy Client Software Installation Account box.

  6. In the Windows User Account dialog box:

    Specify the name and password of the new Client Software Installation Account that you created in the operating system.

    - or -

    If you have already created a Client Software Installation Account that you want to modify, then modify the account to use the same password and name that you specified in step 1.

For More Information

Did you find this information useful? Please send your suggestions and comments about the documentation to.smsdocs@microsoft.com