Network Access Protection Security Rights

適用於: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

By default, the Configuration Manager 2007 administrator has all rights for each object class or instance, but this can be modified and new administrators can be added with restricted rights wherever the properties of the object has a Security tab.

Configuring security rights is most commonly used to configure and control delegated administration, where selected administrators have just enough security rights to perform their job and no more, adhering to the security best practice of least privilege. For example, administrators can view Configuration Manager NAP policies but not modify or delete them. For more information about configuring security rights in Configuration Manager, see Overview of Configuration Manager Object Security and WMI and How to Assign Rights for Objects to Users and Groups.

For more information about delegated administration and how role separation can be used with Network Access Protection in Configuration Manager, see Determine Administrator Roles and Processes for Network Access Protection.

You can set the following security rights on both the Network Access Protection node and the Policies node:

  • Administer

  • Create

  • Delegate

  • Delete

  • Distribute

  • Manage folders

  • Modify

  • Network Access

  • Read

The Distribute and Manage folders rights are not applicable to Network Access Protection.

To configure these security rights, perform the following steps:

  1. Right-click either the Network Access Protection node or the Policies node.

  2. Click Properties, and then click Security.

  3. Configure the security rights you require, and then click OK.


For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email