Custom SMS Administrator Consoles

The SMS Administrator Console is a Microsoft Management Console (MMC) snap-in, and as such it is customizable. You can create a custom SMS Administrator Console that displays only the SMS objects to which a particular administrator needs access to perform delegated tasks such as package distribution, advertising, or initiating remote diagnostic sessions.

Perhaps the most common form of delegation is the help desk function. In a large organization, it would not be unusual to have an administrator or a group whose help desk responsibility is focused on specific departments or regions. It may not be desirable or practical for these individuals to have full access to every object in the SMS database. They really need access only to their assigned department's collection and the ability to initiate remote sessions with their assigned clients.

We can start by providing a custom SMS Administrator Console that displays only the Collections objects. This limitation narrows down what the administrator sees when the SMS Administrator Console is launched. However, this is only a surface modification—any savvy user could restore the other SMS objects to the SMS Administrator Console. The complete solution is to create a custom console and apply appropriate security to all the SMS objects and instances so that administrators see and have access only to what they should.

Setting Security

You begin the process of creating a custom console by applying the appropriate security to the SMS objects. Consider, for example, a help desk group assigned to the finance department of your organization. Help desk administrators belong to a Windows NT group named Finance Help. You have also created an SMS collection named Finance Clients that contains all the SMS client computers in the finance department.

NOTE

---

The membership rules for this collection are based on a query so that as new computers are implemented in the finance department, they are automatically added to the Finance Clients collection when they are discovered and installed by SMS.

You set security on all SMS objects such that the Finance Help group has no permissions on any SMS object class. This effectively restricts the Finance Help group members from viewing any SMS objects other than what they need access to—the Finance Clients collection. For that one collection, you will give Finance Help the permissions the members need to initiate Remote Tools sessions—Read, Read Resource, and Use Remote Tools—shown in Figure 16-12.

Figure 16-12. Setting security for the Finance Clients collection.

Notice that for the Collections object class, Finance Help has no permissions. However, for the Collections object instance Finance Clients, Finance Help has the permissions necessary to initiate a Remote Tools session. (Note that Read Resource is not displayed even if you selected it.) The end result is that the group has no access to any other collection except this one.

Creating the Custom Console

The next step is to create a custom console to the Finance Help administrators that displays only the Finance Clients collection. To create a customized SMS Administrator Console, follow these steps:

1. From the Start menu on the desktop taskbar of your SMS Administrator Console computer, choose Run and enter MMC to launch a generic MMC, shown in Figure 16-13.



Figure 16-13. A generic MMC.

2. Choose Add/Remove Snap-In from the Console menu to display the Add/Remove Snap-In Properties window, shown in Figure 16-14.



Figure 16-14. The Add/Remove Snap-In Properties window.

3. On the Standalone tab, click the Add button to display the Add Standalone Snap-In dialog box, shown in Figure 16-15. This dialog box lists the MMC snap-ins currently available.



Figure 16-15. The Add Standalone Snap-In dialog box.

4. Select Systems Management Server from the list, and then click Add to launch the Site Database Connection Wizard, shown in Figure 16-16.



Figure 16-16. The Site Database Connection Wizard welcome screen.

5. Click Next to display the Locate Site Database screen, shown in Figure 16-17. Specify the site server to which you want the console to connect. Remember, this should be the SMS site that the Finance Help administrators need access to.



Figure 16-17. The Locate Site Database screen.

6. Select the Select Console Tree Items To Be Loaded (Custom) option.
7. Click Next to display the Console Tree Items screen, shown in Figure 16-18. Select the SMS console tree entries you want to display in the custom console. In this example, you will choose SMS Collections only.



Figure 16-18. The Console Tree Items screen.

8. Click Next to display the Completing The Database Connection Wizard screen. Review your selections, and then click Finish.
9. Click Close in the Add Standalone Snap-In dialog box, and then click OK on the Standalone tab in the Add/Remove Snap-In Properties window to save your configuration. The console screen shown in Figure 16-19 demonstrates that the only SMS object this console will display is Collections.



Figure 16-19. The custom console screen.

10. Choose Options from the Console menu to display the Options Properties window, shown in Figure 16-20.
11. On the User tab, confirm that the option Always Open Console Files In Author Mode is disabled. This setting will ensure that the user cannot make modifications to this custom console once they are using it.
12. Select the Console tab, as shown in Figure 16-21. Click Change Icon if you want to switch to the SMS Administrator Console icon (the tool icon). Enter a name for the console. Under Console Mode, select User Mode - Delegated Access, Single Window. This option ensures that the top-level console menus (Console, Window, and Help) are hidden when the console is open and effectively prevents the user from modifying the console in any way. Click OK to save your settings and return to the console window.



Figure 16-20. The User tab of the Options Properties window.



Figure 16-21. The Console tab.

13. Choose Save As from the Console menu to display the Save As dialog box. By default, the file will be saved in a new Programs folder named My Administrative Tools. Retain that folder, or select or create your own. Enter a filename for the console—for example, Finance.msc. Then choose Save.
14. Close the new console.

Distributing the Custom Console

The next step is to distribute the custom console to the administrators in the Finance Help group. Begin by installing the SMS Administrator Console on their Windows NT workstations. Next replace the default SMS.msc file with the console you just created. You can rename the console SMS.msc so that when administrators click on the shortcut in the Systems Management Server program group, the correct console is launched.

CAUTION

---

Remember that the users in the Finance Help group must be able to access the SMS database, as discussed earlier. One way to do this is to add the Finance Help group to the local SMS Admins group on the site server or the SQL server (wherever the SMS Provider is installed).

When a administrator in the Finance Help group launches the customized SMS Administrator Console, he or she will see only the Collections object, and because of the security you applied, only one object instance—the Finance Clients collection, shown in Figure 16-22.

Figure 16-22. Sample custom console with security applied.