Logo
CAR REVIEW
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Server

Microsoft Systems Management Server 2003 : Security - Accounts and Groups

1/16/2013 3:31:27 PM
SMS uses a variety of accounts to perform various tasks. Some of these accounts might be created by you, such as a Client Connection account; others are created by SMS automatically, such as the SMS Server Connection account. The number of accounts that SMS creates and requires depends largely on the security mode you’ve selected. As we’ve seen, advanced security mode only requires the local system account and computer account.

You can categorize the various accounts that SMS can use in many ways. I have broken these down into four categories as follows:

  • Accounts common to both advanced and standard security

  • Accounts specific to advanced security

  • Accounts specific to standard security

  • Accounts specific to clients (advanced and standard security)

In this section we’ll review each of these account categories in more detail.

Accounts Common to Advanced and Standard Security

Three user accounts and six group accounts used at the SMS server level are common to both advanced and standard security. These are described in Tables 1 and 2.

Table 1. User accounts common to advanced and standard security
Account TypeAccount NameDescription
Local SystemN/ARequired account.

Used to run SMS client and server processes and services.

Used to run SMS Advanced Client and server processes in Advanced Security.
Client Push InstallationAdministrator’s choiceOptional account.

Used to install SMS components on Legacy Client computers when the SMS Service account doesn’t have appropriate rights on the client computer. Can be identified for use by Advanced Clients as well.

Default for Legacy Client: SMS Service Account.

Default for Advanced Client: client computer account.
Site AddressAdministrator’s choiceOptional account.

Used for site-to-site communications.

Default for standard security: SMS Service account.

Default for advanced security: site server computer account.

Table 2. Group accounts common to advanced and standard security
Account TypeAccount NameDescription
SMS AdministratorsSMS AdminsUsed to provide access to the SMS Provider through WMI to launch the SMS Administrator Console and access the SMS site database.
Internal Client GroupSMSInternalCliGrpContains the client token and client service accounts on domain controllers (domain controllers require that all user accounts belong to a group).
Reporting UsersSMS Reporting UsersControls user access to SMS. Reports through the reporting point.
Site System To Site Server ConnectionSMS_SiteSystem-ToSiteServerConnection_sitecodeProvides site systems access to site server resources.
Site System To SQL Server ConnectionSMS_SiteSystem-ToSSQLConnection_sitecodeProvides management points, server locator points, and reporting points access to the SMS site database server.
Site To Site ConnectionSMS_SiteToSite-Connection_sitecodeFacilitates communications between sites in an SMS hierarchy. Default members are site address accounts.

Accounts Specific to Advanced Security

When we talk about advanced security, we usually refer to the local system account and the computer account. Strictly speaking, the local system account is sometimes used while running standard security. However, I’m including it here to emphasize its purpose under advanced security. Table 3 summarizes these two accounts.

Table 3. Accounts specific to advanced security
Account TypeAccount NameDescription
Local SystemN/AUsed to run SMS client and server processes and services.Used to run SMS Advanced Client and server processes in Advanced Security.
ComputerMachinename$Used by SMS computers to communicate with other SMS computers.

Accounts Specific to Standard Security

Like SMS 2.0, SMS 2003 running in standard security mode uses many accounts to carry out various tasks on the server and on the client. Table 4 summarizes these accounts.

Table 4. Accounts specific to standard security
Account TypeAccount NameDescription
SMS ServiceSMSService by default, but also administrator’s choiceUsed to run SMS site server processes and services.
Server ConnectionSMSServer_sitecodeUsed to provide CAPs access to the site server.
Site System ConnectionAdministrator’s choiceOptional account.Used to provide sites servers access to site systems. SMS Service account is used by default.
Remote ServiceSMSSvc_sitecode_xxxxUsed to run the SMS Executive service on remote CAPs and the SQL Monitor service on an SMS database server that isn’t the site server.

SMS Service Account

Here’s a bit more about the SMS Service account as you’re likely to encounter it if you’re upgrading from an SMS 2.0 site or need to maintain downward compatibility within your SMS hierarchy for a time. The SMS Service account is the primary account created by SMS in standard security mode. Site server services use this account to create shares and directories on site systems, set permissions, copy files, install services and components, and verify operation of the site system. Specifically, the SMS Executive, SMS Site Component Manager, SMS Site Backup, SMS SQL Monitor, and SMS Client Configuration Manager all use this account. The SMS Service account is created when the SMS site server is installed. By default, it’s named SMSService and made a member of the local Administrators group on the site server as well as the Domain Admins and Domain Users groups in the Windows domain the site server belongs to. Because the account is a domain administrator, you should probably rename it and provide password protection with a complex password composed of alphanumeric and special characters. (Just don’t forget the password.)

Tip

One way to increase security for your Windows domain is to remove the SMS Service account from the Domain Admins group and add it directly to the local Administrators groups on the site server, the server running SQL, CAP, logon point, and software metering server. If you aren’t using a Client Push Installation account, add the SMS Service account to the local Administrators group on every SMS Legacy Client as well.


If your SMS site systems are members of trusted Windows domains, you can use the same SMS Service account throughout your site hierarchy for convenience. However, if SMS sites and site systems are in untrusted Windows domains, you must create the account separately in each domain. Although this won’t be a concern with Windows 2000 or higher domains, trust relationships might well be a concern if you still need to support Windows NT 4.0 domains. For example, the SMS Service account is used to access the SMS database on the server running SQL. If the server running SQL happens to be in a different, untrusted Windows domain than the SMS site server, SMS will need to use Windows’ pass-through authentication method to gain access to the server running SQL. This means that you’ll need to create the SMS Service account in the domain of the server running SQL using the same account name and password that are used on the site server.

Caution

Do not change this account through the Windows account management tools—for example, the User Manager For Domains utility in Windows NT 4.0. If you need to rename the account or change the password, do so using the Reset function of SMS Setup. This method will ensure that all the SMS services are properly updated with the changed account information.


SQL Server Account

The SQL Server account, created by SQL Server during its installation, is used to provide SMS services with access to the SMS database and the software metering database. The type of account that’s used depends on whether or not you’re using Windows Authentication mode when accessing SQL Server. 

By and large, you manage SQL Server accounts through SQL Server Enterprise Manager. If you need to change the account for SMS, first establish the account in SQL Server and then update SMS with the new account information, as shown here:

1.
In the SMS Administrator Console, navigate to the sitecode - site name entry under Site Hierarchy.

2.
Right-click the site entry and choose Properties from the context menu to display the Site Properties dialog box.

3.
Select the Accounts tab, shown in Figure 1. In the SQL Server Account section, click Set and supply the new account name and password in the SQL Server Account dialog box.

Figure 1. The Accounts tab of the Site Properties dialog box.


4.
Choose OK to save the change and update SMS.

SMS Site Address Account

Here’s more information about the site address accounts. The SMS Site Address account is used to establish communications between a parent site and a child site in an SMS hierarchy for the purpose of forwarding data such as discovery data records (DDRs), site control information, inventory, and packages. Although the SMS Service account can be used to accomplish this task, it’s generally recommended that the SMS administrator create a separate account specifically for the purpose of intersite communications. This account can be made fairly secure as well because it need not be a member of the Domain Admins group. In fact, the account needs only Read, Write, Execute, and Delete permissions on the SMS_SITE share (SMS\Inboxes\Despoolr.box\Receive), so it could be simply a guest account with the appropriate permissions to the share.

Server Connection Account

SMS creates the SMS Server Connection account automatically during installation of the site server, and remote site systems use it to connect back to the site server to transfer information. The Inbox Manager Assistant component on CAPs uses this account to transfer client data to appropriate inboxes on the site server. The SMS Provider also uses this account to access SMS directories on the site server as well as the package definition file (PDF) store.

The SMS Server Connection account is named SMSServer_sitecode and is assigned a randomly generated password. Do not modify this account in any way. In fact, it’s a best practice not to modify any account created and maintained by SMS itself.

If you change the password for the SMS Server Connection account, you can reset it by running the Reset routine through SMS Setup. However, if you delete the account, calling Reset won’t restore it. Instead, you’ll need to reinstall SMS.

Accounts Specific to SMS Clients

The accounts used by SMS clients fall into three categories: those common to both the Advanced and Legacy Clients, those specific to the Advanced Client, and those specific to the Legacy Client. As you might have come to expect, the Advanced Client requires far fewer accounts than the Legacy Client does. Table 5 summarizes these accounts for you.

Table 5. Accounts specific to SMS clients
Account TypeAccount NameDescription
Accounts Common to Advanced and Legacy Clients
Client Configuration
Manager (CCM) Boot
Loader (Nondomain Controller)
SMSCCMBootAcct&Used to install the CCM Boot Loader during installation of SMS client components on an SMS client that isn’t a domain controller.
CCM Boot Loader (Domain Controller)SMS#_domaincontrollerUsed to install the CCM Boot Loader during installation of SMS client components on an SMS client that’s a domain controller.
Accounts Specific to Advanced Clients
Advanced Client
Network Access
Administrator’s choiceOptional account.Used by the Advanced Client when an advertised program needs to access a share on a server other than the distribution point. The account is a domain account and must have appropriate permissions on the appropriate shares.
Accounts Specific to Legacy Clients
Client Services (Domain Controller)SMS$_domaincontrollerUsed by SMS client services specifically on domain controllers that are also SMS clients.
Client Service (Nondomain Controller)SMSCliSvcAcct&Used by SMS client services on domain SMS clients that aren’t domain controllers.
Client User Token (Domain Controller)SMSCliToknAcct&Used by SMS client services to execute various component functions on a domain controller installed as a Legacy Client, as well as to run advertised programs in an administrator security context when specified for a package.
Client User Token (Nondomain Controller)SMSCliToknLocalAcct&Used by SMS client services to execute various component functions on the Legacy Client, as well as to run advertised programs in an administrator security context when specified for a package.
Client ConnectionSMSClient_sitecodeUsed by SMS client components running on Legacy Clients to connect to CAPs and distribution points to transfer data such as inventory or client configuration updates.
Legacy Client Software InstallationAdministrator’s choiceOptional account.Used by SMS in lieu of the SMS User Token to install an advertised program on a Legacy Client in an administrator security context when additional network access is required.

Client User Token Account

Here’s a bit more detail about the Client User Token account. When programs are executed at the Standard Client computer, they will run under the local user account’s security context. Since most users are logged on as users and not as administrators, these programs will run under the local user context. Although this isn’t such a big deal for non-Windows systems and for Windows 98 clients, it can be a big issue on Windows NT 4.0 and later clients because they maintain a local account database and provide more security over system modifications such as program installation. Thus, the security context poses a problem when dealing with SMS packages.

When you identify a program to SMS as requiring an administrator context to execute it, SMS uses the Client User Token account, named SMSCliToknAcct& if the client is a domain controller and SMSCliToknLocalAcct& if the client isn’t a domain controller, to create a user token on the client with sufficient access to run the program. This internal account is created automatically, assigned a random password, and granted the Act As Part Of The Operating System, Log On As A Service, and Replace A Process Level Token user rights on the client. This account will be sufficient in most cases. 

Real World: Creating Additional Client Connection Accounts

Since client connection account information, such as the randomly generated password, is propagated to each Windows computer that’s an SMS Legacy Client, you might encounter account lockout problems in Windows networks that have account lockout policies enabled. When SMS updates a client connection account password, that information is normally passed on to the client computers at the next client update cycle.

But what if a client computer has been shut down for a time—say, while a user was on vacation—and in the interim SMS updated the client account password? In this scenario the client computer would have no way of knowing about the password change. When the client computer was restarted, the client connection account would try to reconnect using the old password and would be locked out—effectively disabling SMS Legacy Clients from sending or receiving updates to the CAP.

The solution to this problem involves creating additional client connection accounts through the site server. You can create two or more client connection accounts for which you control the passwords. Rotate these accounts within the password aging cycle of your Windows account policy so that the client will always have access to a valid account. As you create a new client connection account, you can delete the oldest account. This technique ensures that the client computers will always have current account information and minimizes the possibility of the client connection account being locked out. Or better yet, upgrade your Legacy Clients to the Advanced Client software as soon as possible to take advantage of its streamlined approach to accounts and its superior security.

Other -----------------
- Windows Server 2003 on HP ProLiant Servers : Assessment of the Enterprise - Conducting the Assessment
- Windows Server 2003 on HP ProLiant Servers : Assessment of the Enterprise - The Assessment Team
- Windows Small Business Server 2011 : Disaster Planning - Preparing for a Disaster, Restoring from Backup
- Windows Small Business Server 2011 : Disaster Planning - Planning for Disaster
- SQL Server 2008 : Security - Networking
- SQL Server 2008 : Security - Authentication mode
- Microsoft Dynamic GP 2010 : Providing clean vendor information by properly closing Purchase Orders, Protecting against information loss by printing Fixed Asset Reports
- Microsoft Dynamic GP 2010 : Protecting Dynamics GP with key security settings
- Working with the Windows Home Server Registry : Finding Registry Entries
- Working with the Windows Home Server Registry : Working with Registry Entries - Changing the Value of a Registry Entry
- SharePoint 2010 : Packaging and Deployment Model - Site Definitions
- SharePoint 2010 : Packaging and Deployment Model - Features (part 3) - Upgrading Features
- SharePoint 2010 : Packaging and Deployment Model - Features (part 2) - Feature Receivers
- SharePoint 2010 : Packaging and Deployment Model - Features (part 1) - Feature Designer
- SharePoint 2010 : Packaging and Deployment Model - Working with Packages
- Microsoft Content Management Server Development : Validating the HtmlPlaceholderControl (part 3) - Building the Required HTML Placeholder Validator
- Microsoft Content Management Server Development : Validating the HtmlPlaceholderControl (part 2) - Checking for an Empty HtmlPlaceholderControl
- Microsoft Content Management Server Development : Validating the HtmlPlaceholderControl (part 1) - Retrieving the Current Value of the HtmlPlaceholderControl
- Windows Server 2003 on HP ProLiant Servers : Migration Case Studies (part 3) - Hewlett-Packard Company
- Windows Server 2003 on HP ProLiant Servers : Migration Case Studies (part 2) - Eastman Chemical Company
 
 
Most view of day
- System Center Configuration Manager 2007 : Desired Configuration Management - Troubleshooting
- Windows Server 2008 : Modifying Accounts with dsmod
- Microsoft Dynamics GP 2010 : Preventing Errors in Dynamics GP - Preventing account selection errors with Chart Segment names
- Microsoft Exchange Server 2010 : Working with SMTP Connectors, Sites, and Links (part 6) - Creating Receive Connectors
- Preparing and Configuring Boot Images (part 1) - Creating Boot Images
- Working with the Windows Home Server Registry : Starting the Registry Editor, Navigating the Registry
- Microsoft Visio 2010 : Formatting Individual Shapes (part 2) - Curing Menu Cascade-itis
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Using System Stored Procedures
- Sharepoint 2013 : Backup and Restore (part 6) - Farm Backup and Restore - Performing a Restore, Using PowerShell
- Microsoft Visio 2010 : Creating and Exporting SharePoint Workflow Diagrams
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro