Logo
CAR REVIEW
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Server

Microsoft Systems Management Server 2003 : NTFS Security

12/17/2012 4:41:23 PM

As you know, an SMS 2003 site server requires the existence of an NTFS partition that’s at least 1 GB in size. This requirement extends to the main SMS directory, of course, but it also includes the CAP and management point directories created and maintained generally on the site server. You should invest some time in reviewing the permissions set by SMS both on the directories and on the shares SMS creates to learn why various connection accounts need to be created and how the permissions set by SMS affect the ability of these accounts to carry out a task.

Tip

I have found that when organizations make changes to the access levels for Windows administrative shares, either through direct modification of permissions or through application of a group policy, the changes can affect SMS’s ability to create and maintain its own folders. If status and log messages indicate a permissions issue when SMS is trying to create or update a folder or file, the first thing to check should be the Windows security you’re applying on the SMS server. Often a minor change to a group policy can clear up major permission issues with SMS.

You can use Tables 1 through 4 to verify the permissions on the site server, CAP, management point, and distribution point. I’ll leave it to you to familiarize yourself with the permissions on other site systems (after all, you have to get some homework from me). In general, unless otherwise stated, sub-folders inherit their permissions from their parent folder. For the site server, I’ve identified the main shares and folders rather than iterating the hundreds of folders that SMS creates and maintains. (Well, okay, maybe not hundreds, but there are a lot!)

Table 1. CAP folder and share permissions
Share or Directory NameAdministratorsGuestsUsersEveryone
CAP_sitecode (share)Not assignedNot assignedNot assignedFull
CAP_sitecodeFullRead, Execute, ListRead, Execute, ListNot assigned
Ccr.boxFullRead, Write, ExecuteRead, Write, ExecuteNot assigned
Clicomp.boxFullRead, Execute, ListRead, Execute, ListNot assigned
Clidata.boxFullRead, Execute, ListRead, Execute, ListNot assigned
Clifiles.boxFullRead, Execute, ListRead, Execute, ListNot assigned
Ddr.boxFullRead, Write, ExecuteRead, Write, ExecuteNot assigned
Inventory.boxFullRead, Write, ExecuteRead, Write, ExecuteNot assigned
Offerinf.boxFullRead, Execute, ListRead, Execute, ListNot assigned
Pkginfo.boxFullRead, Execute, ListRead, Execute, ListNot assigned
Sinv.boxFullRead, Write, ExecuteRead, Write, ExecuteNot assigned
Statmsgs.boxFullRead, Write, ExecuteRead, Write, ExecuteNot assigned
Swmproc.boxFullRead, Execute, ListRead, Execute, ListNot assigned

Table 2. Management point folder permissions
Share or Directory NameAdministratorsSystemSMS_SiteSystemToSite ServerConnection_sitecode
SMS\MPFullFullRead, Execute, List
SMS\MP\OutboxesFullFullRead, Execute, List
Subfolders of SMS\MP\Outboxes\FullFullNot assigned

Table 3. SMS distribution points folder and share permissions
Share or Directory NameAdministratorsGuestsUsersEveryone
SMSPKGx$ (share)Not assignedNot assignedNot assignedFull
SMSPKGx$FullRead, Execute, ListRead, Execute, ListNot assigned
<package id>FullNot assignedRead, Execute, ListNot assigned

Table 4. SMS site server folder and share permissions
Share or Directory NameDescriptionAccountPermissions
SMS_sitecode (share)This share is associated with the \SMS directory—the installation directory for SMS on a site server.EveryoneFull
SMSThe directory into which SMS is installed on a site server.Administrators System SMS_SiteSystemToSiteServer-Connection_sitecodeFull
Full
Read, Execute,
List
SMS_SITE (share)This share is associated with the SMS\Inboxes\Despoolr.box\Receive directory.EveryoneFull
SMS\Inboxes\Despoolr.box\ReceiveThis directory is used when data is transferred from a child site to its parent site.Administrators System SMS_SiteSystem-ToSiteServerConnection_sitecodeFull
Full
Full
SMS ClientThis share is associated with the \SMS\Client directory.EveryoneFull
SMS\ClientThis directory is used to store the SMS client installation executable files.Administrators System SMS_SiteSystem-ToSiteServerConnection_sitecodeFull
Full
Read, Execute, List
  GuestsRead, Execute, List
  UsersRead, Execute, List
SMS_CPSx$ (share)This share is associated with the x\SMSPKG folder, where x represents the drive containing the folder. You identify this drive to SMS through the Software Distribution component properties in the SMS Administrator Console. EveryoneFull Control
SMSPKGThis directory is used to store the compressed package source file created during the package distribution process.Administrators SMS_SiteSystemTo-SiteServerConnection_sitecodeFull
Read, Execute, List
SMS_SUIAgentThis share is associated with the SMS\SUIAgent folder.EveryoneFull
SMS\SUIAgentThis directory is used to store the files associated with the Software Update Installation agents.Administrators System SMS_SiteSystem-ToSiteServer-Connection_sitecodeFull
Full
Read, Execute, List
Other -----------------
- Microsoft Systems Management Server 2003 : Standard and Advanced Security
- System Center Configuration Manager 2007 : Network Design - Use of BITS
- System Center Configuration Manager 2007 : Network Design - Fast Networks and Slow Networks
- Collaborating Within an Exchange Environment Using Microsoft Office SharePoint Server 2007 : Customizing and Developing MOSS Sites
- Collaborating Within an Exchange Environment Using Microsoft Office SharePoint Server 2007 : Exploring End-User Features in MOSS
- SQL Server 2008 R2 : Executing Stored Procedures
- SQL Server 2008 R2 : Advantages of Stored Procedures, Creating Stored Procedures
- Microsoft Dynamics CRM 4.0 : Silverlight - Deploying Silverlight Using IFrames, Notes Entity
- Microsoft Dynamics CRM 4.0 : Silverlight - Developing a Basic Silverlight Application
- Windows Server 2008 Server Core : Outputting Data Files with the Type Command
- Windows Server 2008 Server Core : Replacing Existing Files with the Replace Utility, Taking Ownership of Files with the TakeOwn Utility
- Microsoft Dynamic GP 2010 : Tools for Dynamics GP
- Microsoft Dynamic GP 2010 : Purchase Order Processing
- Windows Server 2003 : Protecting Hosts with Windows Host Firewalls - Internet Connection Sharing
- Windows Server 2003 : Protecting Hosts with Windows Host Firewalls - Firewall Basics
- Collaborating Within an Exchange Environment Using Microsoft Office SharePoint Server 2007 : Exploring Basic MOSS Features
- Collaborating Within an Exchange Environment Using Microsoft Office SharePoint Server 2007 : Understanding the History of SharePoint Technologies, Identifying the Need for MOSS 2007
- Managing SharePoint 2010 with Windows PowerShell : Managing SharePoint 2010 Web Applications
- Managing SharePoint 2010 with Windows PowerShell : Managing Permissions in SharePoint 2010, Managing Content Databases in SharePoint 2010
- BizTalk 2010 : ASDK SQL adapter examples (part 4) - Composite Operations
 
 
Most view of day
- Microsoft Lync Server 2010 : Planning for Voice Deployment - Voice Routing
- Monitoring Windows Small Business Server 2011 : Using the Windows SBS 2011 Best Practices Analyzer
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 2) - Mounting an Image , Servicing Drivers in an Image
- Windows Phone 8 : Messaging - Composing a New Message (part 7) - Adding Emoticons and Clip Art
- Using Wireless Bluetooth Devices : Configuring Your Bluetooth Adapter
- Preparing and Configuring Boot Images (part 2) - Adding Drivers to a Boot Image
- Windows Server 2003 : Protecting Hosts with Windows Host Firewalls - Protocol Filters
- Microsoft PowerPoint 2010 : Assigning Transitions to Slides
- Creating DVD Movies with Windows DVD Maker (part 1) - Adding Photos and Videos to Your DVD Project
- Troubleshooting Hardware, Driver, and Disk Issues : How to Use Built-In Diagnostics (part 4)
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro