Accounts and Groups | Microsoft Systems Management Server 2.0 Administrators Companion (IT-Administrators Companion)

[Previous] [Next]

As we've seen throughout this book, SMS uses a variety of accounts to perform various tasks. Some of these accounts must be created by you, such as a NetWare Site System Connection account; others are created by SMS automatically, such as the SMS Server Connection account. The user accounts and user group accounts used by SMS for various tasks fall into seven categories, as follows:

Site server service accounts

Server connection account

Site system connection accounts

Remote site system service accounts

Client service accounts

Client installation accounts

Group accounts

In this section, we'll review each of these account categories in more detail.

TIP
In this instance, the original release of the Systems Management Server Administrator's Guide is ineffective. For the most up-to-date information regarding SMS user accounts and user group accounts, you should refer to the online version of the Systems Management Server Administrator's Guide installed with SMS 2.0 Service Pack 1. You should also refer to the Microsoft Systems Management Server Version 2.0 Service Pack 1 Release Notes for additional information.

Site Server Service Accounts

Three site server service accounts enable SMS to carry out its primary tasks: the SMS Service account, the SQL Server account, and the SMS Site Address account. Both the SMS Service and the SQL Server accounts are required; the SMS Site Address account, while not required, is usually desired.

SMS Service Account

By now, you should be familiar with this account. The SMS Service account is the primary account created by SMS. This account is used by site server services to create shares and directories on site systems, set permissions, copy files, install services and components, and verify operation of the site system. Specifically, this account is used by the SMS Executive, SMS Site Component Manager, SMS Site Backup (new with Service Pack 1), SMS SQL Monitor, and SMS Client Configuration Manager. If Crystal Info is installed, the three Crystal Info services—Info Agent, Info APS, and Info Sentinel—also use the SMS Service account.

The SMS Service account is created when the SMS site server is installed. By default, it is named SMSService and made a member of the local Administrators group on the site server as well as the Domain Admins and Domain Users groups in the Windows NT domain the site server belongs to. Because the account is a domain administrator, you should probably rename it and provide password protection with a unique password composed of alphanumeric and special characters. (Just don't forget what the password is.)

TIP
One way to increase security for your Windows NT domain is to remove the SMS Service account from the Domain Admins group and add it directly to the local Administrators groups on the site server, SQL server, CAP, logon point, and software metering server. If you are not using an SMS Windows NT Client Software Installation account, add the SMS Service account to the local Administrators group on every Windows NT SMS client as well.

If your SMS site systems are members of trusted Windows NT domains, the same SMS Service account can be used throughout your site hierarchy for convenience. However, if SMS sites and site systems are in untrusted Windows NT domains, you must create the account separately in each domain. For example, the SMS Service account is used to access the SMS database on the SQL server. If the SQL server happens to be in a different, untrusted Windows NT domain than the SMS site server, SMS will need to use Windows NT's pass-through authentication method to gain access to the SQL server. This means that you will need to create the SMS Service account in the SQL server's domain using the same account name and password as are used on the site server.

CAUTION
Do not change this account through the User Manager For Domains utility in Windows NT. If you need to rename the account or change the password, do so using the Reset function of SMS Setup. This method will ensure that all the SMS services are properly updated with the changed account information.

SQL Server Account

The SQL Server account, created by SQL Server during its installation, is used to provide SMS services with access to the SMS database and the software metering database. The type of account that is used depends on whether you are using standard security or integrated security when accessing SQL Server. Recall from Chapter 2 that you need to tell SMS which security method you have enabled for SQL Server in order for SMS to establish the correct account to use.

By and large, SQL Server accounts are managed through the SQL Server Enterprise Manager utility. If you need to change the account for SMS, first establish the account in SQL Server, and then update SMS with the new account information, as shown here:

In the SMS Administrator Console, navigate to the site code - site name entry under Site Hierarchy.

Right-click on the site entry, and choose Properties from the context menu to display the Site Properties window.

Select the Accounts tab, shown in Figure 16-1. In the SQL Server Account section, click the Set button, and supply the new account name and password in the SQL Server Account dialog box.

Figure 16-1. The Accounts tab of the Site Properties window.

Choose OK to save the change and update SMS.

SMS Site Address Account

The SMS Site Address account is used to establish communications between a parent site and a child site in an SMS hierarchy for the purpose of forwarding data such as discovery data records (DDRs), site control information, inventory, and packages. (Refer to Chapter 4 for more information about the communications process). Although the SMS Service account can be used to accomplish this task, it is generally recommended that a separate account be created by the SMS administrator specifically for the purpose of intersite communications. This account can be made fairly secure as well because it need not be a member of Domain Admins. In fact, the account needs only Read, Write, Execute, and Delete permissions on the SMS_SITE share (SMS\Inboxes\Despoolr.box\Receive), so it could be simply a guest account with the appropriate permissions to the share.

Server Connection Account

The SMS Server Connection account is created by SMS automatically during installation of the site server and is used by remote site systems to connect back to the site server to transfer information. For example, the SMS NT Logon Discovery Agent service running on logon points uses this account to forward DDRs generated during Windows NT logon discovery. The Inbox Manager Assistant component on CAPs uses this account to transfer client data to appropriate inboxes on the site server. The SMS Provider also uses this account to access SMS directories on the site server as well as the package definition file (PDF) store.

The SMS Server Connection account is named SMSServer_sitecode and is assigned a randomly generated password. Do not modify this account in any way. Figure 16-2 shows some of the accounts typically used by SMS through the User Manager For Domains utility. Notice that some of these accounts have "DO NOT MODIFY" in the Description field. In general, do not modify any account created and maintained by SMS itself.

click to view at full size.

Figure 16-2. Windows NT accounts and groups typically used by SMS.

If you change the password for the SMS Server Connection account, it can be reset by running the Reset routine through SMS Setup. However, if you delete the account, calling Reset will not restore it. Instead, you will need to reinstall SMS.

Site System Connection Accounts

Site system connection accounts are almost the opposite of a server connection account. Site system connection accounts are accounts created on site systems such as CAPs and logon points and are used by the Logon Server Manager, Inbox Manager, and Distribution Manager (on Windows NT site systems only) components running on the site server to connect to and transfer information such as client configuration information, advertisements, and logon script updates to these site systems. The three types of site system connection accounts are: Windows Networking Site System Connection, NetWare Bindery Site System Connection, and NetWare NDS Site System Connection.

As with the SMS Site Address account, the Windows Networking Site System Connection account is not required, since the SMS Service account can perform the same tasks. The same is true for the NetWare Bindery Site System Connection account. For security purposes, however, it is recommended that you do create specific site system connection accounts for NetWare Bindery, CAPs, distribution points, and logon points to perform these tasks. The accounts can be created through the Connection Accounts folder under Site Settings in the SMS Administrator Console. (Refer to Chapter 3 for a complete discussion of creating and using these accounts.)

MORE INFO
For more information, see the white paper "Integrating Microsoft Systems Management Server 2.0 with Novell NetWare," on the companion CD; this white paper is also available through the SMS Web site, at http://www.microsoft.com/smsmgmt.

Remote Site System Service Accounts

Remote site system service accounts are service accounts used by SMS services that are installed and run on remote site systems such as the SMS Executive running on a CAP or the SMS NT Logon Discovery Agent service running on a logon point. The three Remote Site System Service accounts are: the SMS Logon Service account, the SMS Remote Service account, and the Software Metering Service account.

SMS Logon Service Account

The SMS Logon Service account is required; it is created automatically on all logon points when the Windows Networking Logon Discovery method is enabled. The account is named SMSLogonSvc and is assigned a randomly generated password. It is made a member of the Domain Users group and the local Administrators group and is assigned the Log On As A Service user right on each logon point.

Remember, do not modify this account in any way. If you do modify the account, SMS will eventually fix it, but the key word here is "eventually." The process could take anywhere from several hours to several days.

SMS Remote Service Account

The SMS Remote Service account is also required and is created automatically on each CAP when that site system role is assigned. The SMS Executive installed on each CAP uses this account to start up and carry out various SMS tasks, such as running Inbox Manager Assistant. This account is named SMSSvc_sitecode_xxxx (where xxxx represents a number increment assigned by SMS and is different on each CAP), is a member of the local Administrators group on each CAP, and is assigned the Log On As A Service user right.

Software Metering Service Account

As we saw in Chapter 14, the Software Metering Service account is used by the SMS License Service installed on each software metering server to manage license usage. The account's default name is SWMAccount, but you can name it anything you want as well as assign it a password. Like the SMS Service account, the Software Metering Service account should be modified through the SMS Administrator Console rather than through the User Manager For Domains utility. To do so, change the appropriate settings on the Software Metering tab of the Site System Properties window.

Client Service Accounts

Four required internal accounts are created by SMS: the Client Services DC account, the Client Services Non-DC account, the Client User Token account, and SMS Client Connection account. These accounts are used by SMS services running on those clients to carry out various tasks.

Client Services DC Account

The Client Services DC account is created and used by SMS client services specifically on domain controllers that are also SMS clients. The account is named SMS&_domain_controller_name . It is a member of the local Administrators group and is assigned the Log On As A Service, Act As Part Of The Operating System, and Replace A Process Level Token user rights.

Client Services Non-DC Account

The Client Services Non-DC account is created and used by SMS client services specifically on Windows NT SMS clients that are not domain controllers. The account is named SMSCliSvcAcct&. It is a member of the local Administrators group and is assigned the Log On As A Service, Act As Part Of The Operating System, and Replace A Process Level Token user rights. It is created by Client Configuration Manager or when SMSMan.exe or the SMSls.bat script is run.

Client User Token Account

When programs are executed at the client computer, they will run under the local user account's security context. Since most users are logged on as users and not as administrators, these programs will run under the local user context. While this is not such a big deal for non_Windows NT systems, it can be a big issue on Windows NT clients because they maintain a local account database and provide more security over system modifications such as program installation. Thus, the security context poses a problem when dealing with SMS packages.

When you identify a program to SMS as requiring an administrator context to execute it, SMS uses the Client User Token account, named SMSCliToknAcct&, to create a user token on the client with sufficient access to run the program. This internal account is created automatically, assigned a random password, and granted the Act As Part Of The Operating System, Logon As A Service, and Replace Process Level Token user rights on the client. This account will be sufficient in most cases. Recall from Chapter 12, however, that if the program execution requires that the program connect to network resources other than the distribution point, SMSCliToknAcct& will fail because it is created as a local account rather than as a domain account. In this case, you should use the SMS Windows NT Client Software Installation account. (See Chapter 12 for a complete discussion of installation accounts.)

SMS Client Connection Account

The SMS Client Connection account functions much the same as the server connection account and site system connection accounts on their respective systems. SMS Client Connection account is used by SMS client components running on Windows NT clients to connect to CAPs and distribution points to transfer data such as inventory or client configuration updates. For the Windows NT domain, SMS creates one account named SMSClient_sitecode with a random password that is propagated to each Windows NT client.

If you have Windows NT clients that access NetWare CAPs or distribution points, you need to create a NetWare Bindery or NetWare NDS client connection account. Again, this would be an account you have already created on your NetWare server that has appropriate permissions to the site system directories. (To review these permissions, refer to Tables 16-1 and 16-3.)

REAL WORLD Creating Additional Client Connection Accounts
Since client connection account information such as the randomly generated password is propagated to each Windows NT computer that is an SMS client, you may encounter account lockout problems in Windows NT networks that have enabled account policies such as account lockout. When SMS updates a client connection account password, that information is normally passed on to the client computers at the next logon if Windows Networking Logon Client Installation method has been enabled.

But what if a client computer has been shut down for a period of time—say, while a user was on vacation—and in the interim SMS updated the client account password? In this scenario, the client computer would have no way of knowing about the password change. When the client computer was restarted, the client connection account would try to reconnect using the old password and would be locked out—effectively disabling SMS client components from sending or receiving updates to the CAP. This problem is especially likely when the client computer was installed using the Windows NT Remote Client Installation method.

The solution to this problem involves creating additional client connection accounts through the site server. You can create two or more client connection accounts for which you control the passwords. Rotate these accounts within the password aging cycle of your Windows NT account policy so that the client will always have access to a valid account. As you create a new client connection account, you can delete the oldest account. This technique ensures that the client computers will always have current account information and minimizes the possibility of the client connection account being locked out.

MORE INFO
Refer to the Microsoft Systems Management Server Version 2.0 Service Pack 1 Release Notes article "Avoiding Client Lockouts when Working with SMS Client Connection Accounts" for a detailed discussion of the need for and method of creating these additional client connection accounts.

Client Installation Accounts

Two kinds of client installation accounts are available: the SMS Client Remote Installation account and the SMS Windows NT Client Software Installation account. Each is used for a slightly different purpose; both are specifically for Windows NT clients on which a higher security context than that of the logged on user is required for carrying out an installation task. The first account is used to install SMS components on an Windows NT client; the other is used to run an advertised program in the correct security context on a Windows NT SMS client.

SMS Client Remote Installation Account

As you know, when SMS needs to be installed on a Windows NT client, it requires an account that has local administrative rights on that client. By default, SMS will use the SMS Service account to accomplish this since that account is automatically made a member of the Domain Admins group, which is by default made a member of the local Administrators group on every Windows NT computer that joins that domain. However, this setting implies that the SMS Service account has a rather broad scope of security.

For enhanced security, you can create a separate client installation account for SMS to use when installing the SMS components on a Windows NT client; this account is called the SMS Client Remote Installation account. This process involves creating an account through User Manager For Domains and ensuring that it is made a member of the local Administrator's group on the Windows NT client in question. After you create this account, you then need to tell SMS to use the account when installing the SMS components on Windows NT clients by configuring the Accounts tab of the Site Properties window. (Refer to Chapter 8 for details.)

SMS Windows NT Client Software Installation Account

The SMS Windows NT Client Software Installation account created by you, the SMS administrator, is used in lieu of the SMSCliToknAcct& account described in the section "Client User Token Account" earlier in this chapter. You create this account either for the Windows NT domain or on each Windows NT client; you should give this account the appropriate level of permissions to install software successfully on the Windows NT client. The account is then identified to SMS through the Software Distribution Properties window, which you can display by right-clicking on the Software Distribution component under Component Configuration in the Site Settings folder in the SMS Administrator Console. Refer to Chapter 12 for a detailed discussion of this account.

Group Accounts

As you know, group accounts in Windows NT are used to provide permissions and set security on a global level for a large number of user accounts by virtue of their membership in a group account. Similarly, SMS also makes use of group accounts to satisfy and provide additional security within the Windows NT environment. In addition to the accounts described above, SMS creates two internal group accounts: SMS Admins and SMSInternalCliGrp.

SMS Admins Group Account

The SMS Admins local group provides its members access to the SMS Provider through WMI, and thus provides access to the SMS database. The local Administrator account on the site server is automatically made a member of this group. You will need to populate this group with the accounts of any administrators who will be using the SMS Administrator Console remotely to access the SMS database and carry out tasks such as creating and distributing packages or initiating Remote Tools sessions.

SMSInternalCliGrp Group Account

The SMSInternalCliGrp global group is created on domain controllers and contains the SMSCliToknAcct& and SMS&_domain_controller_name accounts. This group provides a global group membership (required by Windows NT) for these two internal accounts without having to make them a member of any other existing Windows NT global groups that may inadvertently assign a higher level of permissions than the accounts require.