Topic last updated—March 2008
Microsoft System Center Configuration Manager 2007 administrators can use the Configuration Manager 2007 console to manage Configuration Manager 2007 sites. By default, the only Configuration Manager console user is the user who ran Setup, but most organizations will have more than one user who needs access to the Configuration Manager 2007 console.
Required Rights and Permissions
Console users must be members of the SMS Admins group or of a group with equivalent rights and permissions. Also, any administrators who will use a remote Configuration Manager console require Remote Activation DCOM permissions on both the site server computer and the SMS Provider computer. For more information, see How to Configure DCOM Permissions for Configuration Manager Console Connections.
Simply adding a user to the SMS Admins group is not enough to access objects in the Configuration Manager 2007 console. These users must also be granted Configuration Manager 2007 security rights to all objects that the administrators will manage. For more information, see How to Assign Rights for Objects to Users and Groups.
Users of the Configuration Manager 2007 console do not require administrative rights to the Configuration Manager 2007 console computer. However, if the user does not have local administrator rights, the user must first run Microsoft Management Console (MMC) and then add the Configuration Manager 2007 snap-in to create a new console session. The user can then save the console session and run the new session without administrator rights on the local computer.
However, when you try to create task sequence media, if you are not an administrator on the computer where you are running the Configuration Manager 2007 console, you will get the error "The hash value is not correct" when trying to create task sequence media.
In Configuration Manager 2007 SP1, your account must be configured as an AMT user account if you want to run the out of band management console.
Account and password creation
The accounts are created and maintained by the network account administrator.
Account location
The accounts are typically domain accounts.
Account maintenance
The accounts are created and maintained in Active Directory Domain Services by a domain admininistrator.
Security best practices
Use complex passwords for these accounts.
Closely monitor the users who have access to the Configuration Manager 2007 console because there is no defense against a trusted administrator. Conduct background checks before hiring Configuration Manager 2007 administrators. Conduct security audits of their administrative activity.
Always have at least one user who has full rights to all Configuration Manager 2007 objects.
Assign the minimum Configuration Manager 2007 security rights for the user to perform Configuration Manager 2007 administration. Use role separation whenever possible.