Your account management for Systems Management Server (SMS) will vary depending on whether you are using advanced security or standard security, and whether you are using the Advanced Client or the Legacy Client.
From a security standpoint, using the Legacy Client is not desirable. Make every effort to remove the Legacy Client from your environment as soon as possible.
This section details best practices for managing SMS accounts. For a comprehensive list of all SMS accounts, including the ones created and maintained automatically by SMS, see Appendix C: SMS Accounts, Groups, and Passwords.
For tasks relating to SMS account management, see SMS Accounts Management in Appendix E: “SMS Security Procedures.”
This section begins by discussing general account management that applies to both standard and advanced security. When you use advanced security, most of the account complexity is reduced, but more manual steps can be required by the administrator.
If you run standard security, there are additional best practices for security. If you are forced to run the Legacy Client, see Appendix D: Legacy Client Security Environment for information about Legacy Client security.
WARNING ABOUT THE SMS 2003 SITE SERVER COMPUTER ACCOUNT:
Verify the Proper Computer Accounts Have All Necessary Permissions
Advanced security requires fewer accounts, but requires more administrative action to provide the appropriate security environment. Requiring administrative intervention provides checks and balances for secure SMS account administration.
The following section is not so much best practices as it is requirements for advanced security to function properly. Most errors with advanced security are due to incorrect group configuration.
Verify that the computer accounts for the management points, client access points, reporting points, server locator points, and the SMS site database server (if remote) are added to Site System to Site Server Connection group
When you upgrade a standard security site to advanced security, SMS automatically adds the computer accounts for the client access point (CAP), management point, and SMS site database server (if remote) to the Site System to Site Server Connection group. You must manually add the reporting points and server locator points. Do not add distribution points to this group.
Verify that all sites have accounts configured for site-to-site communications
If you are migrating from standard security to advanced security, the existing Site Address Accounts still function. If you later decide you want to use the computer account as the Site Address Account, verify that the computer account of the sending computer is a member of the Site to Site Connection group on the receiving computer. A child site sends only to the parent site, but a parent site might initiate site-to-site communications with a child or grandchild site and require membership in the Site to Site Connection group on grandchild sites.
Important
If you specify a domain user account as the Site Address account and then later decide you want to use the computer account as the Site Address account, you must delete the address and recreate it. Changing the account name is not sufficient when switching from a user account to the computername$ account.
Verify that the computer account for the site server is added to the local Administrators group for every management point, client access point, reporting point, server locator point, SMS site database server (if remote), and distribution point.
If you are using Windows Server 2003, you can add computer accounts to groups by using the graphic user interface.
If you are using Windows 2000 Server, you can add a computer account to a local group or local domain group only by using the command prompt.
For the procedures, see “Adding Computer Accounts to Groups” in Appendix E: “SMS Security Procedures.”
The full article is on Microsoft Technet web site:
|