Custom SMS Administrator Consoles

 < Day Day Up > 



The SMS Administrator Console is an MMC snap-in, and, consequently, you can create customized versions of the console to distribute to your administrators. You can create a custom SMS Administrator Console that displays only the SMS objects to which a particular administrator needs access to perform delegated tasks such as package distribution, advertising, or initiating remote diagnostic sessions.

Perhaps the most common form of delegation is the help desk function. In a large organization, it wouldn't be unusual to have an administrator or a group whose help desk responsibility is focused on specific departments or regions. It might not be desirable or practical for these individuals to have full access to every object in the SMS database. They really need access only to their assigned department's collection and the ability to initiate remote sessions with their assigned clients.

We can start by providing a custom SMS Administrator Console that displays only the Collections objects. This limitation narrows down what the administrator sees when the SMS Administrator Console is launched. However, this is only a surface modification-any savvy user could restore the other SMS objects to the SMS Administrator Console. The complete solution is to create a custom console and apply appropriate security to all the SMS objects and instances so that administrators see and have access only to what they should.

Setting Security

You begin the process of creating a custom console by applying the appropriate security to the SMS objects. Consider, for example, a help desk group assigned to your organization's finance department. Help desk administrators belong to a Windows group named Finance Help. You have also created an SMS collection named Finance Clients that contains all the SMS client computers in the finance department.

Note 

The membership rules for this collection are based on a query so that as new computers are implemented in the finance department, they're automatically added to the Finance Clients collection when SMS discovers and installs them.

You set security on all SMS objects in such a way that the Finance Help group has no permissions on any SMS object class. This effectively restricts the Finance Help group members from viewing any SMS objects other than what they need access to-the Finance Clients collection. For that one collection, you'll give Finance Help the permissions the members need to initiate Remote Tools sessions-Read, Read Resource, and Use Remote Tools- shown in Figure 17.19.

click to expand
Figure 17.19: Setting security for the Finance Clients collection.

Notice that for the Collections object class, Finance Help has no permissions. However, for the Collections object instance Finance Clients, Finance Help has the permissions necessary to initiate a Remote Tools session. The result is that the group has no access to any other collection except this one.

Creating the Custom Console

The next step is to create a custom console to the Finance Help administrators that displays only the Finance Clients collection. To create a customized SMS Administrator Console, follow these steps:

  1. From the Start menu on the desktop taskbar of your SMS Administrator Console computer, choose Run and enter MMC to launch a generic MMC, shown in Figure 17.20.

    click to expand
    Figure 17.20: A generic MMC.

  2. Choose Add/Remove Snap-In from the Console menu to display the Add/Remove Snap-In Properties dialog box, shown in Figure 17.21.

    click to expand
    Figure 17.21: The Add/Remove Snap-In Properties dialog box.

  3. In the Standalone tab, click the Add button to display the Add Stand- alone Snap-In dialog box, shown in Figure 17.22. This dialog box lists the MMC snap-ins currently available.

    click to expand
    Figure 17.22: The Add Standalone Snap-In dialog box.

  4. Select Systems Management Server from the list and then click Add to launch the Site Database Connection Wizard, shown in Figure 17.23.

    click to expand
    Figure 17.23: The Site Database Connection Wizard welcome page.

  5. Click Next to display the Locate Site Database page, shown in Figure 17.24. Specify the site server to which you want the console to connect. Remember, this should be the SMS site that the Finance Help administrators need access to.

    click to expand
    Figure 17.24: The Locate Site Database page.

  6. Select the Select Console Tree Items To Be Loaded (Custom) option.

  7. Click Next to display the Console Tree Items page, shown in Figure 17.25. Select the SMS console tree entries you want to display in the custom console. In this example you'll choose SMS Collections only.

    click to expand
    Figure 17.25: The Console Tree Items page.

  8. Click Next to display the Completing The Site Database Connection Wizard page. Review your selections and then click Finish.

  9. Click Close in the Add Standalone Snap-In dialog box, and then click OK in the Standalone tab in the Add/Remove Snap-In Properties dialog box to save your configuration. The management console shown in Figure 17.26 demonstrates that the only SMS object this console will display is Collections.

    click to expand
    Figure 17.26: The custom management console.

  10. Choose Options from the Console menu to display the Options properties dialog box, shown in Figure 17.27.

  11. From the Console Mode drop-down list, select User Mode - Limited Access, Single Window. This option ensures that the top-level console menus (Console, Window, and Help) are hidden when the console is open and effectively prevents the user from modifying the console in any way. Select the option Do Not Save Changes To This Console to prevent any unintentional modifications later. Click OK to save your settings and return to the console window.

  12. Choose Save As from the Console menu to display the Save As dialog box. By default, the file will be saved in the Administrative Tools program folder. Retain that folder or select or create your own. Enter a filename for the console-for example, Finance.msc. Then choose Save.

    click to expand
    Figure 17.27: The Options properties dialog box.

  13. Close the new console.

Distributing the Custom Console

The next step is to distribute the custom console to the administrators in the Finance Help group. Begin by installing the SMS Administrator Console on their Windows NT 4.0 workstations. Next, replace the default SMS.msc file with the console you just created. You can rename the console SMS.msc so that when administrators click the shortcut in the Systems Management Server program group, the correct console is launched.

Caution 

Remember that the users in the Finance Help group must be able to access the SMS database, as discussed earlier. One way to do this is to add the Finance Help group to the local SMS Admins group on the site server or the server running SQL (wherever the SMS Provider is installed).

When an administrator in the Finance Help group launches the customized SMS Administrator Console, he or she will see only the Collections object, and because of the security you applied, only one object instance-the Finance Clients collection, shown in Figure 17.28.

click to expand
Figure 17.28: Sample custom console with security applied.



 < Day Day Up > 



Microsoft Systems Management Server 2003 Administrator's Companion
Microsoft Systems Management Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735618887
EAN: 2147483647
Year: 2006
Pages: 178

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net