Systems management products often require you to be an administrator on several machines. Sms 2003 and SCCM 2007 are no different in this respect. Microsoft’s systems management product requires administrative privileges on the servers to roll them out as site systems, and on the clients (depending on your client installation method) to push out the client successfully.
Combined with the best practice security principle of “least privilege”, this means creating a group that allows you to easily achieve this permission level without having to be a domain administrator. You could create a restricted group in group policies for the administrators group and add the members you want to it, but this overwrites all current memberships of the administrators group with the new members you have configured in the gpo. This might be fine on your site servers, where you might exactly know what needs to be in there. But in large environments and on your desktop machines this could become cumbersome.
Microsoft has updated the restricted group behaviour in Windows 2000 SP4, and has issued a fix for windows xp sp1, to make the “member of” portion of restricted groups more usable. This allows you to create a gpo for a group, and add that group to the local administrators of any machine applying the gpo. It may not be entirely Sms or SCCM related, but I find it is one of these things I do often during my initial installation steps at customer sites, so I think it is a wortwhile topic for a first blog entry.
1) Create 2 groups (I usually use gg_desktopadmins and gg_serveradmins)
2) Create 2 Gpo’s (One to add members to the destkops/laptops and one for the servers (apply the gpo to the relevant ou’s later).
3) Edit the desktop admins gpo
4) Right-click computer configuration\windows settings\restricted groups and select add group
5) Browse for your newly selected group, and click ok a few times.
6) Double click the group in the details pane
7) In the member off section of the dialog box that opens type administrators in the box and press ok a couple of times again.
8) apply the gpo to a test ou.
9) Log into a machine that is a member of the test ou
10) open a dos box and type net localgroup administrators and review the administrators group membership
11) Run gpupdate /force (if it is an xp or 2003, machine or the secedit command if it is an old 2000 machine)
12) Run net localgroup administrators again and if all is well you should see your new group has become a member of the administrators group leaving the old memberships intact.
More information can be found here: http://support.microsoft.com/kb/810076
Note that if you mix restricted groups with the members property and the member off property that results are inpredictable since there is no way of knowing which section will get executed first.
“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS