Topic last updated -- November 2007
SMS Admins provides its members with access to the SMS Provider, through WMI. Access to the SMS Provider is required for viewing and modifying Microsoft System Center Configuration Manager 2007 security objects and data in the Configuration Manager 2007 console.
|Service Manager uses the security context of the logged on user instead of the SMS Admins group when making a connection.|
Required rights and permissions
SMS Admins rights and permissions are set in the WMI Control MMC snap-in. By default, Everyone has Execute Methods, Provider Write, and Enable Account permissions. After the user connects to the SMS Provider, the user is granted access based on the object security rights defined in the Configuration Manager 2007 console. The SMS Admins group is explicitly granted Enable Account and Remote Enable on the Root\SMS namespace.
|Any administrators who will use a remote Configuration Manager console require Remote Activation DCOM permissions on both the site server computer and SMS Provider computer. While you can grant these rights to any user or group, you should grant them to SMS Admins to simplify administration. Any user added to SMS Admins should be trusted enough to allow Remote Activation. For more information, see How to Configure DCOM Permissions for Configuration Manager Console Connections.|
The group is created on the site server and on the computer running the SMS Provider.
Type of Group
If the SMS Provider computer is a member server, SMS Admins is a local group. If the SMS Provider computer is a domain controller, SMS Admins is a domain local group.
Anyone who needs to access the Configuration Manager 2007 Administrator console should be added to this group.
When granting rights to objects in the Configuration Manager 2007 console, you can assign permissions to users, local groups, global groups, universal groups, and nested global groups. When you use the Manage ConfigMgr Users wizard to add security rights to users or groups, if the SMS Provider is installed on the site server, Configuration Manager 2007 attempts to add the user or group to the SMS Admins group. However, if you assign rights to a local group, Configuration Manager 2007 cannot add a local group to the local group SMS Admins and you get an error message. If you create your own local group or domain local group to provide access to the Configuration Manager 2007 console, you must also assign that local or domain local group the same WMI permission as the SMS Admins group.
|If you assign Configuration Manager 2007 Object permissions using the Clone ConfigMgr User Wizard, Configuration Manager 2007 does not automatically add the cloned user to the SMS Admins group. If you change the class and instance rights directly on an object in the Configuration Manager 2007 console, Configuration Manager 2007 does not automatically add the user to the SMS Admins group.|