Topic last updated—November 2007

If you are experiencing errors in Microsoft System Center Configuration Manager 2007, a common cause is improperly configured security access. The following checklist can help you verify that you have the correct account and group configuration for Configuration Manager 2007.

Account Checklist

Check Details

Verify that the computer accounts for the following site roles are added to Site System to Site Server Connection group.

  • Fallback status points

  • Management points

  • PXE service points

  • Site database server (if on a remote computer)

  • SMS Provider computer

  • Software update points

  • State migration points

  • System Health Validator points

If no trust relationship exists between the site system role domain and the site server domain, you will not be able to add these accounts to the Site System to Site Server Connection group. In this case, you must configure the site system setting Allow only site server initiated data transfers from this site system on the General tab of the site system properties, which configures the site server to pull data from the site role instead of having the site system role push data back to the site server. For more information, see About the Site System to Site Server Connection Group.

Verify that all sites have accounts configured for site-to-site communications (if there are multiple sites in the hierarchy)

If your site servers are in the same forest, you should use the site server computer$ account for site-to-site communications.

If the site servers are in different forests, even if there is a trust relationship, use the Site Address account.

Whichever account you use, verify that it is a member of the Site to Site Connection group.

A child site sends only to the parent site, but a parent site might initiate site-to-site communications with a child or grandchild site and require membership in the Site to Site Connection group on grandchild sites.

If you specify a domain user account as the Site Address account and then later decide you want to use the computer account as the Site Address account, you must delete the address and recreate it. Changing the account name is not sufficient when switching from a user account to the computername$ account.

For more information, see About the Site Address Account.

Verify that the computer account for the site server is added to the local Administrators group for the following site system roles:

  • Distribution points

  • Fallback status points

  • Management points

  • PXE service points

  • Reporting points

  • Server locator points

  • Site database server

  • SMS Provider computer

  • Software update points

  • State migration points

  • System Health Validator points

If all computers are in the same forest, you must manually add the site server computer$ account to each local Administrators group. You should complete this step before configuring the computer as a site system.

If the site system is in a different forest than the site server, configure a Site System Installation Account on the site system properties and add the Site System Installation Account to each local Administrators group. For more information, see About the Site System Installation Account.

If you must use database connection accounts, manually add them to the SQL role.

  • Management points: smsdbrole_MP

  • Server locator points: smsdbrole_SLP

  • PXE service point: smsdbrole_PSP

By default, Configuration Manager 2007 uses the site system computer$ account to connect to the site database and automatically adds that computer$ account to the matching SQL Server role on the database. If you create a connection account, the accounts are not automatically added to the corresponding role.

For more information, see About the Management Point Database Connection Account, About the PXE Service Point Database Connection Account, and About the Server Locator Point Database Connection Account.

If you have extended your Active Directory schema, grant the site server computer account permissions to publish in Active Directory Domain Services

For more information, see How to Set Security on the System Management Container in Active Directory Domain Services.

Verify that the required IIS accounts are enabled and have default permissions on all site systems that require IIS.

Configuration Manager 2007 requires the Internet Guest Account and the IIS Worker Process Group. If these groups have been disabled or have had their default rights and permissions restricted, Configuration Manager 2007 site roles might not function properly. For more information, see About the Internet Guest Account in Configuration Manager and About the IIS Worker Process Group in Configuration Manager.

Verify that appropriate users are added to the SMS Admins group.

Restrict access to the SMS Admins group to as few members as possible. However, if a user must access the Configuration Manager 2007 console, they must be members of this group to have the rights to access objects in the console. If you grant a user the rights to manage an object and they are not in the SMS Admins group, they cannot access the object. For more information, see About the SMS Admins Group.

Add users to reporting users if they need to access only reports and not the Configuration Manager 2007 console

Reporting Users controls access to the Configuration Manager 2007 Reports Web site. Because Reporting Users is a local group, you must add users to each reporting point individually if they require access to more than one. For more information, see About the Reporting Users Group.

If you remove the Internet Guest account from the Users group or if you remove the Users group as a package access account, add the Internet Guest account explicitly to the package as a package access account with whatever permissions are required to access to the package.

The Internet Guest account IUSR_<computername> is used by Microsoft System Center Configuration Manager 2007 clients for anonymous access to BITS-enabled distribution points when accessing content without using Windows authentication. For more information, see About the Internet Guest Account in Configuration Manager.

If you upgraded from SMS 2003, verify that administrators have rights to objects new to Configuration Manager 2007.

After a fresh installation, the account will be the only user account with rights to the Configuration Manager 2007 console. If you are upgrading from a previous version, other administrators retain their existing rights to the console but are not automatically granted new rights to new objects. For more information, see How to Assign Rights for Objects to Users and Groups.

Verify that administrators who will use a remote Configuration Manager console have Remote Activation DCOM permissions on both the site server computer and SMS Provider computer.

For more information, see How to Configure DCOM Permissions for Configuration Manager Console Connections.

Verify that each account is using the least possible permissions.

For more information, see Accounts and Groups in Configuration Manager.

Security Best Practices for Accounts

Add users to the Permitted Viewers list instead of adding them directly to the ConfigMgr Remote Control Users Group

After Setup, if you need to remove Configuration Manager 2007 rights from the account used to install Configuration Manager, add those rights to another account first

Always have at least one user who has full rights to all Configuration Manager 2007 objects

Assign the minimum Configuration Manager 2007 security rights for the user to perform Configuration Manager 2007 administration. Use role separation whenever possible.

Closely monitor the users who have access to the Configuration Manager 2007 console because there is no defense against a trusted administrator.

Configure SQL Server to run under a domain user account instead of Local System

Configure the package access permissions so that only authorized installers of the software have access to the files on the distribution points.

Do not add any Configuration Manager 2007 user or computer accounts to the Domain Admins group

Do not add servers hosting the following server roles to the Site System to Site Server Connection Group:

  • Reporting points

  • Server locator points

  • Distribution points

Do not change the Startup type and Log on as settings for Configuration Manager 2007 services

Do not grant the Client Push Installation account the right to log on locally.

Do not grant the following accounts interactive logon rights:

  • Health State Reference Querying account

  • PXE Service Point Database Connection Account

  • Management Point Database Connection Account

  • Server Locator Point Database Connection Account

  • Network Access Account

  • Capture Operating System Image Account

  • Task Sequence Editor Domain Joining Account

  • Task Sequence Editor Network Folder Connection Account

Do not grant the Network Access Account rights to join a computer to the domain.

Do not modify the SQL Server roles and permissions created by Configuration Manager 2007

Do not remove rights and permissions from Local System, Local Service, and Network Service

Do not remove the default permissions used by the Internet Guest account and the IIS Worker Process Group to access Configuration Manager 2007 resources

Do not use the Network Access account as any of the following accounts:

  • Package Access Account

  • Task Sequence Editor Domain Joining Account

  • Capture Operating System Image Account

  • Task Sequence Editor Network Folder Connection Account

Do not use the same account for the Health State Reference Publishing account and the Health State Reference Querying Account because the Querying account requires only Read permissions.

Enter an account name in the Permitted Viewers list by using the domain\account format to remove any ambiguity that might occur at the client

Explicitly specify all global groups on the Permitted Viewers list

If possible, use the site server computer$ account instead of creating these accounts:

  • Server Locator Point Database Connection Account

  • PXE Service Point Database Connection Account

  • Management Point Database Connection Account

  • Site Address Account

  • Site System Installation Account

  • Software Update Point Connection Account

If you create the following accounts, create them as local accounts on the computer running SQL Server

  • Server Locator Point Database Connection Account

  • PXE Service Point Database Connection Account

  • Management Point Database Connection Account

If you disable remote tools, manually delete the ConfigMgr Remote Control Users group.

If you have many domain controllers and have accounts that will be used across domains, verify that the accounts have replicated before configuring them in the Configuration Manager 2007 console.

If you need accounts for your task sequences, you create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts

If you use the Client Push Installation account, create a Group Policy object to add it to the local Administrators group

Minimize the use of the Local System account on the site servers and site systems by not installing other services that use the Local System account

Promptly remove servers from the Site System to Site Server Connection Group when they no longer host server roles that require membership

Set the package access permissions when you first create the package

To mitigate the risk of the Client Push Installation account being compromised, use an alternative method of client installation like Software Update Point Client Installation, Group Policy-based installation, or imaging

Use complex password for all user accounts

Use the same account for the RAS Sender Phone Book account as for the Site Address account.

See Also