The security requirements to install and use the Custom Updates Publishing Tool are different depending on whether the Publishing Tool and SMS 2003 site server databases are local or remote. The following tables provide the required security in each scenario.

Local Publishing Tool Database and Local SMS 2003 Site Server Database

The following table describes the permissions required for the user to install and use the Custom Updates Publishing Tool when both the publishing tool database and SMS 2003 site server database are located on the publishing tool computer.

Local Computer
The user must be a local Administrator on the computer to install and use the Custom Updates Publishing Tool.
SMS object permissions are required for a user to publish and synchronize software updates catalogs to the local SMS 2003 site server. Full permissions must be granted to all instances for the Package and Software Updates classes.

Local Computer

The user must be a local Administrator on the computer to install and use the Custom Updates Publishing Tool.

SMS object permissions are required for a user to publish and synchronize software updates catalogs to the local SMS 2003 site server.

Full permissions must be granted to all instances for the Package and Software Updates classes.

Local Publishing Tool Database and Remote SMS 2003 Site Server Database

The following table describes the permissions required for the user to install and use the Custom Updates Publishing Tool when the publishing tool database is local and the SMS 2003 site server database is remote to the publishing tool computer.

Local Computer	Remote SMS 2003 Site Server Computer
The user must be a local Administrator on the computer to install and use the Custom Updates Publishing Tool.	SMS object permissions are required for a user to publish and synchronize software updates catalogs to the local SMS 2003 site server. Full permissions must be granted to all instances for the Package and Software Updates classes.
	The firewall on the SMS 2003 site server computer must be configured, if required.
	The DCOM settings on the SMS 2003 site server must be configured, if required.

Local Computer

Remote SMS 2003 Site Server Computer

The user must be a local Administrator on the computer to install and use the Custom Updates Publishing Tool.

SMS object permissions are required for a user to publish and synchronize software updates catalogs to the local SMS 2003 site server.

Full permissions must be granted to all instances for the Package and Software Updates classes.

The firewall on the SMS 2003 site server computer must be configured, if required.

The DCOM settings on the SMS 2003 site server must be configured, if required.

Remote Publishing Tool Database and Remote SMS 2003 Site Server Database

Important
On remote publishing tool databases, a SQL script must be run on the remote SQL Server 2005 computer to create the mscuptdb database and MS_Custom_Updates_Publishing_Tool_User database role. For more information, see How to Pre-Create the Publishing Tool Database.

Local Computer	Remote Publishing Tool Database Computer	Remote SMS 2003 Site Server Computer
The user must be a local Administrator on the computer to install and use the Custom Updates Publishing Tool.	Prior to installing the Custom Updates Publishing Tool, a database login must be created for the user on the SQL Server 2005 publishing tool database. The database login must have MS_Custom_Updates_Publishing_Tool_User database role permissions to the mscuptdb database.	To synchronize the custom updates catalog with the SMS 2003 site server, the user must be added to the SMS Admins local group on the site server computer, (and to the SQL Server 2005 computer if it is remotely located from SMS 2003), if required, and have full security rights to all instances of the Package and Software Updates classes.
	The firewall on the remote SQL Server 2005 computer must be configured, if required.	The Firewall on the SMS 2003 site server computer must be configured, if required.
	The DCOM settings on the remote SQL Server 2005 computer must be configured, if required.	The DCOM settings on the SMS 2003 site server must be configured, if required.

Low-Rights Users

After the Custom Updates Publishing Tool has been installed, low-rights users can start and make full use of the publishing tool if the permissions for the user are configured correctly. In addition to the permissions described in the previous section, low-rights users need the configurations on the local computer, as described in the following table.

Local Computer
Prior to installing the Custom Updates Publishing Tool, a database login must be created for the low-rights user on the publishing tool SQL Server 2005 database. The database login must have MS_Custom_Updates_Publishing_Tool_User database role permissions to the mscuptdb database.
The user must have Read and Execute, List, Read, Write, and Modify file system rights on the <installation folder>\Microsoft Custom Update Publishing Tool folder.
For the low-rights user to change the publishing tool data source or synchronize with the SMS 2003 site server database, full control permissions must be granted to the HKLM\Software\Microsoft\PublishingTool registry key.

Local Publishing Tool Database and Local SMS 2003 Site Server Database

Local Publishing Tool Database and Remote SMS 2003 Site Server Database

Remote Publishing Tool Database and Remote SMS 2003 Site Server Database

Low-Rights Users

See Also

Concepts