SMS uses a variety of accounts to perform various tasks. Some of
these accounts might be created by you, such as a Client Connection
account; others are created by SMS automatically, such as the SMS Server
Connection account. The number of accounts that SMS creates and
requires depends largely on the security mode you’ve selected. As we’ve
seen, advanced security mode only requires the local system account and
computer account.
You can categorize the various accounts that SMS can use in many ways. I have broken these down into four categories as follows:
Accounts common to both advanced and standard security
Accounts specific to advanced security
Accounts specific to standard security
Accounts specific to clients (advanced and standard security)
In this section we’ll review each of these account categories in more detail.
Accounts Common to Advanced and Standard Security
Three user accounts and six group accounts used
at the SMS server level are common to both advanced and standard
security. These are described in Tables 1 and 2.
Table 1. User accounts common to advanced and standard security
| Account Type | Account Name | Description |
|---|
| Local System | N/A | Required account. Used to run SMS client and server processes and services. Used to run SMS Advanced Client and server processes in Advanced Security. |
| Client Push Installation | Administrator’s choice | Optional account. Used
to install SMS components on Legacy Client computers when the SMS
Service account doesn’t have appropriate rights on the client computer.
Can be identified for use by Advanced Clients as well. Default for Legacy Client: SMS Service Account. Default for Advanced Client: client computer account. |
| Site Address | Administrator’s choice | Optional account. Used for site-to-site communications. Default for standard security: SMS Service account. Default for advanced security: site server computer account. |
Table 2. Group accounts common to advanced and standard security
| Account Type | Account Name | Description |
|---|
| SMS Administrators | SMS Admins | Used to provide access to the SMS Provider through WMI to launch the SMS Administrator Console and access the SMS site database. |
| Internal Client Group | SMSInternalCliGrp | Contains
the client token and client service accounts on domain controllers
(domain controllers require that all user accounts belong to a group). |
| Reporting Users | SMS Reporting Users | Controls user access to SMS. Reports through the reporting point. |
| Site System To Site Server Connection | SMS_SiteSystem-ToSiteServerConnection_sitecode | Provides site systems access to site server resources. |
| Site System To SQL Server Connection | SMS_SiteSystem-ToSSQLConnection_sitecode | Provides management points, server locator points, and reporting points access to the SMS site database server. |
| Site To Site Connection | SMS_SiteToSite-Connection_sitecode | Facilitates communications between sites in an SMS hierarchy. Default members are site address accounts. |
Accounts Specific to Advanced Security
When
we talk about advanced security, we usually refer to the local system
account and the computer account. Strictly speaking, the local system
account is sometimes used while running standard security. However, I’m
including it here to emphasize its purpose under advanced security. Table 3 summarizes these two accounts.
Table 3. Accounts specific to advanced security
| Account Type | Account Name | Description |
|---|
| Local System | N/A | Used
to run SMS client and server processes and services.Used to run SMS
Advanced Client and server processes in Advanced Security. |
| Computer | Machinename$ | Used by SMS computers to communicate with other SMS computers. |
Accounts Specific to Standard Security
Like
SMS 2.0, SMS 2003 running in standard security mode uses many accounts
to carry out various tasks on the server and on the client. Table 4 summarizes these accounts.
Table 4. Accounts specific to standard security
| Account Type | Account Name | Description |
|---|
| SMS Service | SMSService by default, but also administrator’s choice | Used to run SMS site server processes and services. |
| Server Connection | SMSServer_sitecode | Used to provide CAPs access to the site server. |
| Site System Connection | Administrator’s choice | Optional account.Used to provide sites servers access to site systems. SMS Service account is used by default. |
| Remote Service | SMSSvc_sitecode_xxxx | Used
to run the SMS Executive service on remote CAPs and the SQL Monitor
service on an SMS database server that isn’t the site server. |
SMS Service Account
Here’s a bit more about the SMS Service account
as you’re likely to encounter it if you’re upgrading from an SMS 2.0
site or need to maintain downward compatibility within your SMS
hierarchy for a time. The SMS Service account is the primary account
created by SMS in standard security mode. Site server services use this
account to create shares and directories on site systems, set
permissions, copy files, install services and components, and verify
operation of the site system. Specifically, the SMS Executive, SMS Site
Component Manager, SMS Site Backup, SMS SQL Monitor, and SMS Client
Configuration Manager all use this account. The SMS Service account is
created when the SMS site server is installed. By default, it’s named
SMSService and made a member of the local Administrators group on the
site server as well as the Domain Admins and Domain Users groups in the
Windows domain the site server belongs to. Because the account is a
domain administrator, you should probably rename it and provide password
protection with a complex password composed of alphanumeric and special
characters. (Just don’t forget the password.)
Tip
One
way to increase security for your Windows domain is to remove the SMS
Service account from the Domain Admins group and add it directly to the
local Administrators groups on the site server, the server running SQL,
CAP, logon point, and software metering server. If you aren’t using a
Client Push Installation account, add the SMS Service account to the
local Administrators group on every SMS Legacy Client as well. |
If your SMS site systems are members of trusted
Windows domains, you can use the same SMS Service account throughout
your site hierarchy for convenience. However, if SMS sites and site
systems are in untrusted Windows domains, you must create the account
separately in each domain. Although this won’t be a concern with Windows
2000 or higher domains, trust relationships might well be a concern if
you still need to support Windows NT 4.0 domains. For example, the SMS
Service account is used to access the SMS database on the server running
SQL. If the server running SQL happens to be in a different, untrusted
Windows domain than the SMS site server, SMS will need to use Windows’
pass-through authentication method to gain access to the server running
SQL. This means that you’ll need to create the SMS Service account in
the domain of the server running SQL using the same account name and
password that are used on the site server.
Caution
Do
not change this account through the Windows account management
tools—for example, the User Manager For Domains utility in Windows NT
4.0. If you need to rename the account or change the password, do so
using the Reset function of SMS Setup. This method will ensure that all
the SMS services are properly updated with the changed account
information. |
SQL Server Account
The SQL Server account, created by SQL Server
during its installation, is used to provide SMS services with access to
the SMS database and the software metering database. The type of account
that’s used depends on whether or not you’re using Windows
Authentication mode when accessing SQL Server.
By and large, you manage SQL Server accounts
through SQL Server Enterprise Manager. If you need to change the account
for SMS, first establish the account in SQL Server and then update SMS
with the new account information, as shown here:
1. | In the SMS Administrator Console, navigate to the sitecode - site name entry under Site Hierarchy.
|
2. | Right-click the site entry and choose Properties from the context menu to display the Site Properties dialog box.
|
3. | Select the Accounts tab, shown in Figure 1.
In the SQL Server Account section, click Set and supply the new account
name and password in the SQL Server Account dialog box.
|
4. | Choose OK to save the change and update SMS.
|
SMS Site Address Account
Here’s more information about the site address
accounts. The SMS Site Address account is used to establish
communications between a parent site and a child site in an SMS
hierarchy for the purpose of forwarding data such as discovery data
records (DDRs), site control information, inventory, and packages. Although the SMS Service account can be used to
accomplish this task, it’s generally recommended that the SMS
administrator create a separate account specifically for the purpose of
intersite communications. This account can be made fairly secure as well
because it need not be a member of the Domain Admins group. In fact,
the account needs only Read, Write, Execute, and Delete permissions on
the SMS_SITE share (SMS\Inboxes\Despoolr.box\Receive), so it could be
simply a guest account with the appropriate permissions to the share.
Server Connection Account
SMS creates the SMS Server Connection account
automatically during installation of the site server, and remote site
systems use it to connect back to the site server
to transfer information. The Inbox Manager Assistant component on CAPs
uses this account to transfer client data to appropriate inboxes on the
site server. The SMS Provider also uses this account to access SMS
directories on the site server as well as the package definition file
(PDF) store.
The SMS Server Connection account is named SMSServer_sitecode and is assigned a randomly generated password. Do not modify this account in any way. In fact, it’s a best practice not to modify any account created and maintained by SMS itself.
If you change the password for the SMS Server
Connection account, you can reset it by running the Reset routine
through SMS Setup. However, if you delete the account, calling Reset
won’t restore it. Instead, you’ll need to reinstall SMS.
Accounts Specific to SMS Clients
The accounts used by SMS clients fall into three
categories: those common to both the Advanced and Legacy Clients, those
specific to the Advanced Client, and those specific to the Legacy
Client. As you might have come to expect, the Advanced Client requires
far fewer accounts than the Legacy Client does. Table 5 summarizes these accounts for you.
Table 5. Accounts specific to SMS clients
| Account Type | Account Name | Description |
|---|
| Accounts Common to Advanced and Legacy Clients |
Client Configuration
Manager (CCM) Boot
Loader (Nondomain Controller) | SMSCCMBootAcct& | Used
to install the CCM Boot Loader during installation of SMS client
components on an SMS client that isn’t a domain controller. |
| CCM Boot Loader (Domain Controller) | SMS#_domaincontroller | Used to install the CCM Boot Loader during installation of SMS client components on an SMS client that’s a domain controller. |
| Accounts Specific to Advanced Clients |
Advanced Client
Network Access | Administrator’s choice | Optional
account.Used by the Advanced Client when an advertised program needs to
access a share on a server other than the distribution point. The
account is a domain account and must have appropriate permissions on the
appropriate shares. |
| Accounts Specific to Legacy Clients |
| Client Services (Domain Controller) | SMS$_domaincontroller | Used by SMS client services specifically on domain controllers that are also SMS clients. |
| Client Service (Nondomain Controller) | SMSCliSvcAcct& | Used by SMS client services on domain SMS clients that aren’t domain controllers. |
| Client User Token (Domain Controller) | SMSCliToknAcct& | Used
by SMS client services to execute various component functions on a
domain controller installed as a Legacy Client, as well as to run
advertised programs in an administrator security context when specified
for a package. |
| Client User Token (Nondomain Controller) | SMSCliToknLocalAcct& | Used
by SMS client services to execute various component functions on the
Legacy Client, as well as to run advertised programs in an administrator
security context when specified for a package. |
| Client Connection | SMSClient_sitecode | Used
by SMS client components running on Legacy Clients to connect to CAPs
and distribution points to transfer data such as inventory or client
configuration updates. |
| Legacy Client Software Installation | Administrator’s choice | Optional
account.Used by SMS in lieu of the SMS User Token to install an
advertised program on a Legacy Client in an administrator security
context when additional network access is required. |
Client User Token Account
Here’s a bit more detail about the Client User
Token account. When programs are executed at the Standard Client
computer, they will run under the local user account’s security context.
Since most users are logged on as users and not as administrators,
these programs will run under the local user context. Although this
isn’t such a big deal for non-Windows systems and for Windows 98
clients, it can be a big issue on Windows NT 4.0 and later clients
because they maintain a local account database and provide more security
over system modifications such as program installation. Thus, the
security context poses a problem when dealing with SMS packages.
When
you identify a program to SMS as requiring an administrator context to
execute it, SMS uses the Client User Token account, named
SMSCliToknAcct& if the client is a domain controller and
SMSCliToknLocalAcct& if the client isn’t a domain controller, to
create a user token on the client with sufficient access to run the
program. This internal account is created automatically, assigned a
random password, and granted the Act As Part Of The Operating System,
Log On As A Service, and Replace A Process Level Token user rights on
the client. This account will be sufficient in most cases.
Since
client connection account information, such as the randomly generated
password, is propagated to each Windows computer that’s an SMS Legacy
Client, you might encounter account lockout problems in Windows networks
that have account lockout policies enabled. When SMS updates a client
connection account password, that information is normally passed on to
the client computers at the next client update cycle. But
what if a client computer has been shut down for a time—say, while a
user was on vacation—and in the interim SMS updated the client account
password? In this scenario the client computer would have no way of
knowing about the password change. When the client computer was
restarted, the client connection account would try to reconnect using
the old password and would be locked out—effectively disabling SMS
Legacy Clients from sending or receiving updates to the CAP. The
solution to this problem involves creating additional client connection
accounts through the site server. You can create two or more client
connection accounts for which you control the passwords. Rotate these
accounts within the password aging cycle of your Windows account policy
so that the client will always have access to a valid account. As you
create a new client connection account, you can delete the oldest
account. This technique ensures that the client computers will always
have current account information and minimizes the possibility of the
client connection account being locked out. Or better yet, upgrade your
Legacy Clients to the Advanced Client software as soon as possible to
take advantage of its streamlined approach to accounts and its superior
security. |
