DOCUMENT:Q200670 04-MAR-2002 [sms] TITLE :SMS: Customizing the SMS Administrator Console PRODUCT :Microsoft Systems Management Server PROD/VER::2.0,2.0 SP1,2.0 SP2 OPER/SYS: KEYWORDS:kbsms200 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server versions 2.0, 2.0 SP1, 2.0 SP2 ------------------------------------------------------------------------------- SUMMARY ======= In Microsoft Systems Management Server version 2.0, the Systems Management Server Administrator console is a Microsoft Management Console (MMC) snap-in that can be customized by adding specific Console Tree Items (for example, Collections). Using Systems Management Server Console security, you can further limit console functionality by customizing the view that your administrators have of the Systems Management Server Administrator console. You set permissions on object classes and instances using the Security console item. MORE INFORMATION ================ When combined with MMC customizable consoles, the Systems Management Server 2.0 security model makes it easy to delegate Systems Management Server administrative tasks. Administrative tasks can be delegated by group. Define local groups on the site server that relate to required tasks. Corresponding global groups or users can be added as necessary. For example, a user group called HelpDesk can be created. Full permissions for Systems Management Server Remote Tools can be assigned to this group, but not permissions for Site Configuration objects. You can also create a customized MMC console that includes only the objects that the group requires to perform the tasks delegated to them. In this way, you can provide members of the HelpDesk group with all the tools required to support end users, yet prevent them from accessing unnecessary objects. The following example outlines the steps needed to create a custom MMC console that shows only the Collections tree item. The second set of instructions demonstrates how to set security options so that the HelpDesk group will be able to view and use Remote Tools on the "All Windows NT Systems" collection. NOTE: Members of the HelpDesk local group or corresponding HelpDesk global group are required to be members of the permitted viewers list for the Remote Tools Client Agent and of the SMS Admins local group on the server housing the Systems Management Server provider (either the SQL or SMS system). Using this method, it is not necessary to directly add users through the Web Based Enterprise Management Permissions Editor (WBEMPERM). To Create a Customized Systems Management Server Console: 1. If the Systems Management Server Administrator console is running, quit the program. 2. Click Start, and then click Run. 3. In the Open box, type "MMC" (without the quotation marks), and then click OK. 4. On the Console menu, click "Add/Remove Snap-in". The "Add/Remove Snap-in" dialog box is displayed. 5. Click Add. The "Add Standalone Snap-in" dialog box is displayed. 6. Click Systems Management Server and then click Add. The Site Database Connection Wizard starts. 7. Click Next. The Locate Site Database dialog box is displayed. Specify the site database to connect to. 8. Verify that "Reconnect to a site database" is selected, and then click "Select console items to be loaded (custom)". 9. Click Next. The Console Tree Items dialog box is displayed with the Systems Management Server console tree objects that are available for the new console. 10. Clear all options except Collections, and then click Next. The Completing the Site Database Connection Wizard dialog box is displayed, displaying settings for the new console. 11. Click Finish. The "Add Standalone Snap-in" dialog box is displayed. 12. Click Close. Systems Management Server is now displayed as a snap-in. Click OK. 13. If it is necessary to prevent users of the custom console from adding additional snap-ins, follow these steps: a. On the Console menu, click Options. b. On the User tab, verify that "Always open console files in Author mode" is cleared (not checked). c. Click the Console tab and change the Console mode to any of the three User Mode options, and then click OK. 14. On the Console menu, click Save As. The Save As dialog box is displayed. 15. Type a name for this specialized console and click Save. You have now created a custom console as a file that you can distribute to help desk users. These users require at least NTFS Read access to this file. To Set up Security Permissions ------------------------------ 1. Start the Systems Management Server Administrator Console. 2. Go to Site Database, and then click Security Rights. 3. Right-click Security Rights, click New, and then click Instance Security Right. 4. For user name, type "Domain\UserA" (without the quotation marks) or "Domain\GroupNameA" (without the quotation marks). 5. For Class, select Collection. 6. For Instance, select "All Windows NT Systems". 7. For permissions, select Read, Use Remote Tools, and Read Resource. 8. Click OK. NOTE: In step 3 it is possible to specify a new Class Security Right that enables the HelpDesk group to use Remote Tools for all collections. (It may be necessary to assign additional permissions for a HelpDesk Console, such as Status-Read and Queries-Read). It is also possible to grant appropriate permissions by starting the SMS User Wizard from Site Database | Security Rights | Right click |All Tasks | Manage SMS Users. WMI 1.5-Enabled Computers ------------------------- Computers that have been upgraded to Windows Management Instrumentation (WMI) 1.5 or Microsoft Windows 2000-based computers do not have the WMI 1.1 tool (Wbemperm.exe). NOTE: Windows NT 4.0 users which have WMI 1.5 installed, also need to install the Microsoft Security Configuration Editor (MSSCE), included on the Windows NT 4.0 Service Pack 4 (SP4) (and later) CD-ROM. On Windows NT-based computers, the tool is Wbemcntl.exe. MSSCE is required to edit the Access Control Lists (ACLs) on the Windows Installer (WI) namespaces. REFERENCES ========== Also see the following Knowledge Base articles: Q230263 How to Create Custom MMC Snap-in Tools Using Microsoft Management Console Q199869 SMS: Assigning Class and Instance Security Rights with the SMS User Wizard Q201126 SMS: Troubleshooting Connectivity to the SMS Site Database Additionally, the BackOffice 4.5 Resource Kit contains related information: Search for 'Custom MMC' from Microsoft Resource Kit Online Books. Additional query words: prodsms custom MMC wbemperm exe wbemcntl ====================================================================== Keywords : kbsms200 Technology : kbSMSSearch kbSMS200 kbSMS200SP1 kbSMS200SP2 Version : :2.0,2.0 SP1,2.0 SP2 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.