Microsoft Systems Management Server 2003 : Custom SMS Administrator Consoles

Perhaps the most common form of delegation is the help desk function. In a large organization, it wouldn’t be unusual to have an administrator or a group whose help desk responsibility is focused on specific departments or regions. It might not be desirable or practical for these individuals to have full access to every object in the SMS database. They really need access only to their assigned department’s collection and the ability to initiate remote sessions with their assigned clients.

We can start by providing a custom SMS Administrator Console that displays only the Collections objects. This limitation narrows down what the administrator sees when the SMS Administrator Console is launched. However, this is only a surface modification—any savvy user could restore the other SMS objects to the SMS Administrator Console. The complete solution is to create a custom console and apply appropriate security to all the SMS objects and instances so that administrators see and have access only to what they should.

Setting Security

You begin the process of creating a custom console by applying the appropriate security to the SMS objects. Consider, for example, a help desk group assigned to your organization’s finance department. Help desk administrators belong to a Windows group named Finance Help. You have also created an SMS collection named Finance Clients that contains all the SMS client computers in the finance department.

You set security on all SMS objects in such a way that the Finance Help group has no permissions on any SMS object class. This effectively restricts the Finance Help group members from viewing any SMS objects other than what they need access to—the Finance Clients collection. For that one collection, you’ll give Finance Help the permissions the members need to initiate Remote Tools sessions—Read, Read Resource, and Use Remote Tools—shown in Figure 1.

Notice that for the Collections object class, Finance Help has no permissions. However, for the Collections object instance Finance Clients, Finance Help has the permissions necessary to initiate a Remote Tools session. The result is that the group has no access to any other collection except this one.

Creating the Custom Console

The next step is to create a custom console to the Finance Help administrators that displays only the Finance Clients collection. To create a customized SMS Administrator Console, follow these steps:

1.	From the Start menu on the desktop taskbar of your SMS Administrator Console computer, choose Run and enter MMC to launch a generic MMC, shown in Figure 2. Figure 2. A generic MMC.
2.	Choose Add/Remove Snap-In from the Console menu to display the Add/Remove Snap-In Properties dialog box, shown in Figure 3. Figure 3. The Add/Remove Snap-In Properties dialog box.
3.	In the Standalone tab, click the Add button to display the Add Standalone Snap-In dialog box, shown in Figure 4. This dialog box lists the MMC snap-ins currently available. Figure 4. The Add Standalone Snap-In dialog box.
4.	Select Systems Management Server from the list and then click Add to launch the Site Database Connection Wizard, shown in Figure 5. Figure 5. The Site Database Connection Wizard welcome page.
5.	Click Next to display the Locate Site Database page, shown in Figure 6. Specify the site server to which you want the console to connect. Remember, this should be the SMS site that the Finance Help administrators need access to. Figure 6. The Locate Site Database page.
6.	Select the Select Console Tree Items To Be Loaded (Custom) option.
7.	Click Next to display the Console Tree Items page, shown in Figure 7. Select the SMS console tree entries you want to display in the custom console. In this example you’ll choose SMS Collections only. Figure 7. The Console Tree Items page.
8.	Click Next to display the Completing The Site Database Connection Wizard page. Review your selections and then click Finish.
9.	Click Close in the Add Standalone Snap-In dialog box, and then click OK in the Standalone tab in the Add/Remove Snap-In Properties dialog box to save your configuration. The management console shown in Figure 8 demonstrates that the only SMS object this console will display is Collections. Figure 8. The custom management console.
10.	Choose Options from the Console menu to display the Options properties dialog box, shown in Figure 9. Figure 9. The Options properties dialog box.
11.	From the Console Mode drop-down list, select User Mode - Limited Access, Single Window. This option ensures that the top-level console menus (Console, Window, and Help) are hidden when the console is open and effectively prevents the user from modifying the console in any way. Select the option Do Not Save Changes To This Console to prevent any unintentional modifications later. Click OK to save your settings and return to the console window.
12.	Choose Save As from the Console menu to display the Save As dialog box. By default, the file will be saved in the Administrative Tools program folder. Retain that folder or select or create your own. Enter a filename for the console—for example, Finance.msc. Then choose Save.
13.	Close the new console.

Distributing the Custom Console

The next step is to distribute the custom console to the administrators in the Finance Help group. Begin by installing the SMS Administrator Console on their Windows NT 4.0 workstations. Next, replace the default SMS.msc file with the console you just created. You can rename the console SMS.msc so that when administrators click the shortcut in the Systems Management Server program group, the correct console is launched.

When an administrator in the Finance Help group launches the customized SMS Administrator Console, he or she will see only the Collections object, and because of the security you applied, only one object instance—the Finance Clients collection, shown in Figure 10.

Figure 10. Sample custom console with security applied.