Windows 2003 SP1 Impacts on SMS 2003 SP1
Due to the changes that service pack 1 makes to Windows 2003 several adjustments were necessary to allow SMS 2003 service pack 1 to operate normally. These changes are all related to DCOM configuration however they will be broken up into two categories. The first category is those changes that would not need to be repeated if a site reset was done and those that would.
Security changes only on server installation
The following changes on the SMS Primary site server will not need to be repeated if a site reset is done.
Add all SMS AD groups to Distributed COM Users
In order to allow non-administrators to connect to the SMS provider with a remote SMS console the AD groups that contain SMS administrators must be added to the Distributed COM Users Local Group on the SMS Primary Site server.
Security changes required to be repeated on Site Reset
The following changes will need to be performed every time a site reset is done.
Modify DCOM permissions on SMS_REPORTING_POINT
In order to allow non-administrative users to access the reporting point the Local Launch and Local Activation permission must be granted to the Local SMS Reporting Group. If this change is not made users will receive an Access Denied message when attempting to access a report regardless of their SMS Reporting object permissions.
In order to make this change open Dcomcnfg on the primary site server, navigate to Component Services, Computers, My Computer, DCOM Config. Right click on SMS_REPORTING_POINT and choose Properties, click on the Security tab and select Customize in the Launch and Activation Permission section. Select the Edit button and add the local group SMS Reporting Point Users with Local Launch and Local Activate permissions.
Modify DCOM permissions on SMS_SERVER_LOCATOR_POINT
In order to allow clients to access the Server Locator Point (SLP) the Local Launch and Local Activation permission must be granted to the Internet Guest Account. In order to tell if this change has been made test the SLP by opening a browser to http://SITESERVERNAME/sms_slp, if the page displays the message “Could Not Initialize” then the change has not been made or there is some other problem with the SLP. If the page displays the message “Bad Query String!” then the SLP is working properly.
In order to make this change open Dcomcnfg on the primary site server, navigate to Component Services, Computers, My Computer, DCOM Config. Right click on SMS_SERVER_LOCATOR_POINT and choose Properties, click on the Security tab and select Customize in the Launch and Activation Permission section. Select the Edit button and add IUSR_ SERVERNAME with Local Launch and Local Activate permissions.
Security changes only on server installation
The following changes on the SMS Primary site server will not need to be repeated if a site reset is done.
Add all SMS AD groups to Distributed COM Users
In order to allow non-administrators to connect to the SMS provider with a remote SMS console the AD groups that contain SMS administrators must be added to the Distributed COM Users Local Group on the SMS Primary Site server.
Security changes required to be repeated on Site Reset
The following changes will need to be performed every time a site reset is done.
Modify DCOM permissions on SMS_REPORTING_POINT
In order to allow non-administrative users to access the reporting point the Local Launch and Local Activation permission must be granted to the Local SMS Reporting Group. If this change is not made users will receive an Access Denied message when attempting to access a report regardless of their SMS Reporting object permissions.
In order to make this change open Dcomcnfg on the primary site server, navigate to Component Services, Computers, My Computer, DCOM Config. Right click on SMS_REPORTING_POINT and choose Properties, click on the Security tab and select Customize in the Launch and Activation Permission section. Select the Edit button and add the local group SMS Reporting Point Users with Local Launch and Local Activate permissions.
Modify DCOM permissions on SMS_SERVER_LOCATOR_POINT
In order to allow clients to access the Server Locator Point (SLP) the Local Launch and Local Activation permission must be granted to the Internet Guest Account. In order to tell if this change has been made test the SLP by opening a browser to http://SITESERVERNAME/sms_slp, if the page displays the message “Could Not Initialize” then the change has not been made or there is some other problem with the SLP. If the page displays the message “Bad Query String!” then the SLP is working properly.
In order to make this change open Dcomcnfg on the primary site server, navigate to Component Services, Computers, My Computer, DCOM Config. Right click on SMS_SERVER_LOCATOR_POINT and choose Properties, click on the Security tab and select Customize in the Launch and Activation Permission section. Select the Edit button and add IUSR_ SERVERNAME with Local Launch and Local Activate permissions.
0 Comments:
Post a Comment
<< Home