The console is installed during the site server setup process.
After installation, by default only the administrator who ran the setup
has access to the console.
Special
permissions are required when other users want to install and use the
console from their workstations. These permissions can be divided into
two categories:
The next sections discuss these areas.
Configuring Required DCOM Permissions for the ConfigMgr Console
Administrators
running the console from their workstation require Remote Activation
DCOM permissions. These permissions are required on the site server and
the SMS provider.
The SMS provider is the
interface between the Configuration Manager console and the site
database. The console uses WMI to connect to the SMS provider, and WMI
itself uses DCOM. Due to these dependencies, DCOM permissions are
required when running the console on a system other than the SMS
provider.
Access to the SMS provider is
delivered through the SMS Admins group, which is a local security group
on every site server. All users running the console must be members of
this group. By default, members of this group do not have administrator
rights in Configuration Manager. Specific class and instance rights are
still required. In the following procedure, DCOM permissions are linked
to the SMS Admins group:
- If
the SMS provider is installed on a computer other than the site server,
you must perform this procedure on both the site server and the SMS
provider computer.
- When the SMS provider is installed on the site server, you need to perform this procedure only on the site server computer.
Perform the following steps to configure Remote Activation permissions for the SMS Admins group:
1. | To open the Component Services Management console, click Start -> Run and then type dcomcnfg.exe.
|
2. | In the Component Services Management console, select the Console root and then expand the Component Services node.
|
3. | Under the Component Services node, expand Computers and then click My Computer.
|
4. | In the Component Services menu bar, click Action and then select Properties from the menu.
|
5. | In the Properties dialog box, click the COM Security tab.
|
6. | In the Launch and Activation Permissions section, click Edit Limits.
|
7. | In the Launch and Activation Permissions dialog box, click Add.
|
8. | In the Select Users, Computer or Groups window, click the Locations button.
|
9. | In the Locations dialog box, select the computer account (rather than the domain) and click OK.
|
10. | In the Select Users, Computer or Groups window, type SMS Admins in the Enter object names to select section. Click OK.
|
11. | In the permissions area for SMS Admins, check the Remote Activation box. Figure 1 shows this selection.
|
12. | Click OK twice and close the Component Services Management console.
|
Verifying and Configuring WMI Permissions
The
SMS provider is the main communication interface between the site
servers and the Configuration Manager console. The console itself uses
a combination of DCOM and WMI.
In addition
to the DCOM permissions, WMI permissions are also required. By default,
the SMS Admins group has the required WMI permissions. Use the
following procedure if you are using a security group other than the
SMS Admins group, or if you face issues connecting due to misconfigured
WMI permissions.
Note: Identifying Connection Problems
If you face connection problems, you can identify them by the following entry in the SMSAdminUI.log:
Error(ConnectServer):
Possible UI connection error code is -2147217405 [0x80041003]
After verbose logging is enabled, the log file is located in the <ConfigMgrInstallPath>\AdminUI\AdminUILog folder.
To verify or configure WMI permissions, perform the following steps:
1. | On the server running the SMS provider, click Start -> Run, type wmimgmt.msc, and then click OK.
|
2. | In the WMI Control console, right-click the WMI Control node and then click Properties in the menu.
|
3. | In the Properties dialog box, select the Security tab.
|
4. | Expand the Root and then click the SMS folder.
|
5. | To verify the configured permissions, click the Security button.
|
6. | The SMS Admins group or a custom group requires the Enable Account and Remote Enable permissions, as configured in Figure 2.
|
7. | When you have configured all permissions correctly, click OK twice.
|
8. | Close the WMI Control console.
|