The SMS Administrator Console
is an MMC snap-in, and, consequently, you can create customized
versions of the console to distribute to your administrators. You can
create a custom SMS Administrator Console that displays only the SMS
objects to which a particular administrator needs access to perform
delegated tasks such as package distribution, advertising, or initiating
remote diagnostic sessions.
Perhaps the most common form of delegation is the
help desk function. In a large organization, it wouldn’t be unusual to
have an administrator or a group whose help desk responsibility is
focused on specific departments or regions. It might not be desirable or
practical for these individuals to have full access to every object in
the SMS database. They really need access only to their assigned
department’s collection and the ability to initiate remote sessions with
their assigned clients.
We can start by providing a custom SMS
Administrator Console that displays only the Collections objects. This
limitation narrows down what the administrator sees when the SMS
Administrator Console is launched. However, this is only a surface
modification—any savvy user could restore the other SMS objects to the
SMS Administrator Console. The complete solution is to create a custom
console and apply appropriate security to all the SMS objects and
instances so that administrators see and have access only to what they
should.
Setting Security
You begin the process of creating a custom
console by applying the appropriate security to the SMS objects.
Consider, for example, a help desk group assigned to your organization’s
finance department. Help desk administrators belong to a Windows group
named Finance Help. You have also created an SMS collection named
Finance Clients that contains all the SMS client computers in the
finance department.
Note
The
membership rules for this collection are based on a query so that as
new computers are implemented in the finance department, they’re
automatically added to the Finance Clients collection when SMS discovers
and installs them. |
You set security on all SMS objects in such a
way that the Finance Help group has no permissions on any SMS object
class. This effectively restricts the Finance Help group members from
viewing any SMS objects other than what they need access to—the Finance
Clients collection. For that one collection, you’ll give Finance Help
the permissions the members need to initiate Remote Tools sessions—Read,
Read Resource, and Use Remote Tools—shown in Figure 1.
Notice
that for the Collections object class, Finance Help has no permissions.
However, for the Collections object instance Finance Clients, Finance
Help has the permissions necessary to initiate a Remote Tools session.
The result is that the group has no access to any other collection
except this one.
Creating the Custom Console
The next step is to create a custom console to
the Finance Help administrators that displays only the Finance Clients
collection. To create a customized SMS Administrator Console, follow
these steps:
1. | From
the Start menu on the desktop taskbar of your SMS Administrator Console
computer, choose Run and enter MMC to launch a generic MMC, shown in Figure 2.
|
2. | Choose Add/Remove Snap-In from the Console menu to display the Add/Remove Snap-In Properties dialog box, shown in Figure 3.
|
3. | In the Standalone tab, click the Add button to display the Add Standalone Snap-In dialog box, shown in Figure 4. This dialog box lists the MMC snap-ins currently available.
|
4. | Select Systems Management Server from the list and then click Add to launch the Site Database Connection Wizard, shown in Figure 5.
|
5. | Click Next to display the Locate Site Database page, shown in Figure 6.
Specify the site server to which you want the console to connect.
Remember, this should be the SMS site that the Finance Help
administrators need access to.
|
6. | Select the Select Console Tree Items To Be Loaded (Custom) option.
|
7. | Click Next to display the Console Tree Items page, shown in Figure 7.
Select the SMS console tree entries you want to display in the custom
console. In this example you’ll choose SMS Collections only.
|
8. | Click Next to display the Completing The Site Database Connection Wizard page. Review your selections and then click Finish.
|
9. | Click
Close in the Add Standalone Snap-In dialog box, and then click OK in
the Standalone tab in the Add/Remove Snap-In Properties dialog box to
save your configuration. The management console shown in Figure 8 demonstrates that the only SMS object this console will display is Collections.
|
10. | Choose Options from the Console menu to display the Options properties dialog box, shown in Figure 9.
|
11. | From
the Console Mode drop-down list, select User Mode - Limited Access,
Single Window. This option ensures that the top-level console menus
(Console, Window, and Help) are hidden when the console is open and
effectively prevents the user from modifying the console in any way.
Select the option Do Not Save Changes To This Console to prevent any
unintentional modifications later. Click OK to save your settings and
return to the console window.
|
12. | Choose
Save As from the Console menu to display the Save As dialog box. By
default, the file will be saved in the Administrative Tools program
folder. Retain that folder or select or create your own. Enter a
filename for the console—for example, Finance.msc. Then choose Save.
|
13. | |
Distributing the Custom Console
The next step is to distribute the custom
console to the administrators in the Finance Help group. Begin by
installing the SMS Administrator Console on their Windows NT 4.0
workstations. Next, replace the default SMS.msc file with the console
you just created. You can rename the console SMS.msc so that when
administrators click the shortcut in the Systems Management Server
program group, the correct console is launched.
Caution
Remember
that the users in the Finance Help group must be able to access the SMS
database, as discussed earlier. One way to do this is to add the
Finance Help group to the local SMS Admins group on the site server or
the server running SQL (wherever the SMS Provider is installed). |
When an administrator in the Finance Help group
launches the customized SMS Administrator Console, he or she will see
only the Collections object, and because of the security you applied,
only one object instance—the Finance Clients collection, shown in Figure 10.
