IT tutorials
 
Technology
 

System Center Configuration Manager 2007 : The Configuration Manager Console - Security Considerations

10/12/2013 2:00:21 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
The console is installed during the site server setup process. After installation, by default only the administrator who ran the setup has access to the console.

Special permissions are required when other users want to install and use the console from their workstations. These permissions can be divided into two categories:

  • Distributed Component Object Model (DCOM)

  • Windows Management Instrumentation (WMI)

The next sections discuss these areas.

Configuring Required DCOM Permissions for the ConfigMgr Console

Administrators running the console from their workstation require Remote Activation DCOM permissions. These permissions are required on the site server and the SMS provider.

The SMS provider is the interface between the Configuration Manager console and the site database. The console uses WMI to connect to the SMS provider, and WMI itself uses DCOM. Due to these dependencies, DCOM permissions are required when running the console on a system other than the SMS provider.

Access to the SMS provider is delivered through the SMS Admins group, which is a local security group on every site server. All users running the console must be members of this group. By default, members of this group do not have administrator rights in Configuration Manager. Specific class and instance rights are still required. In the following procedure, DCOM permissions are linked to the SMS Admins group:

  • If the SMS provider is installed on a computer other than the site server, you must perform this procedure on both the site server and the SMS provider computer.

  • When the SMS provider is installed on the site server, you need to perform this procedure only on the site server computer.

Perform the following steps to configure Remote Activation permissions for the SMS Admins group:

1.
To open the Component Services Management console, click Start -> Run and then type dcomcnfg.exe.

2.
In the Component Services Management console, select the Console root and then expand the Component Services node.

3.
Under the Component Services node, expand Computers and then click My Computer.

4.
In the Component Services menu bar, click Action and then select Properties from the menu.

5.
In the Properties dialog box, click the COM Security tab.

6.
In the Launch and Activation Permissions section, click Edit Limits.

7.
In the Launch and Activation Permissions dialog box, click Add.

8.
In the Select Users, Computer or Groups window, click the Locations button.

9.
In the Locations dialog box, select the computer account (rather than the domain) and click OK.

10.
In the Select Users, Computer or Groups window, type SMS Admins in the Enter object names to select section. Click OK.

11.
In the permissions area for SMS Admins, check the Remote Activation box. Figure 1 shows this selection.

Figure 1. Establishing DCOM permissions for the SMS Admins group


12.
Click OK twice and close the Component Services Management console.

Verifying and Configuring WMI Permissions

The SMS provider is the main communication interface between the site servers and the Configuration Manager console. The console itself uses a combination of DCOM and WMI.

In addition to the DCOM permissions, WMI permissions are also required. By default, the SMS Admins group has the required WMI permissions. Use the following procedure if you are using a security group other than the SMS Admins group, or if you face issues connecting due to misconfigured WMI permissions.

Note: Identifying Connection Problems

If you face connection problems, you can identify them by the following entry in the SMSAdminUI.log:

Error(ConnectServer):
Possible UI connection error code is -2147217405 [0x80041003]

After verbose logging is enabled, the log file is located in the <ConfigMgrInstallPath>\AdminUI\AdminUILog folder.


To verify or configure WMI permissions, perform the following steps:

1.
On the server running the SMS provider, click Start -> Run, type wmimgmt.msc, and then click OK.

2.
In the WMI Control console, right-click the WMI Control node and then click Properties in the menu.

3.
In the Properties dialog box, select the Security tab.

4.
Expand the Root and then click the SMS folder.

5.
To verify the configured permissions, click the Security button.

6.
The SMS Admins group or a custom group requires the Enable Account and Remote Enable permissions, as configured in Figure 2.

Figure 2. Enabling WMI permissions for the SMS Admins group


7.
When you have configured all permissions correctly, click OK twice.

8.
Close the WMI Control console.
 
Others
 
- System Center Configuration Manager 2007 : The Configuration Manager Console - Customizing the Console
- System Center Configuration Manager 2007 : The Configuration Manager Console - Console Deployment
- Administering an Exchange Server 2007 Environment : Performing Common Tasks (part 5) - Managing Disconnected Mailboxes, , Moving Mailboxes
- Administering an Exchange Server 2007 Environment : Performing Common Tasks (part 4) - Creating Mail Contacts, Managing Mail Contacts
- Administering an Exchange Server 2007 Environment : Performing Common Tasks (part 3) - Creating Distribution Groups, Managing Distribution Groups
- Administering an Exchange Server 2007 Environment : Performing Common Tasks (part 2) - Managing User Mailboxes, Managing Mailbox Locations
- Administering an Exchange Server 2007 Environment : Performing Common Tasks (part 1) - Creating User Mailboxes
- Windows 7 : Connecting Your Network to the Internet - Making Services Available (part 2) - Enabling Access with a Sharing Router
- Windows 7 : Connecting Your Network to the Internet - Making Services Available (part 1) - Enabling Access with Internet Connection Sharing
- Windows 7 : Configuring Your LAN (part 3) - Connection Sharing Router with a Broadband Connection, Cable Internet with Multiple Computers
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us