You are browsing the archive for SMS.

Search Sccm 2007 docs using a Custom Internet Explorer 7 search provider

8:45 am in ConfigMgr 2007, SCCM 2007, SMS by The WMI guy

In following the instructions on how to better search the Configmgr 2007 documentation library as described over at the Sms writers blog I created a search provider for my personal favorite search engine.

Add Live Search Sccm 2007 docs search provider


Oh, for those of you that haven’t adapted to this new great search engine just yet, I created one for this other old, small scale search engine as well.

Add Google SCCM 2007 docs search provider


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Customize SCCM 2007 Admin console

8:29 pm in ConfigMgr 2007, SCCM 2007, SMS by The WMI guy

Hi all,

Let’s have a show of hands, how many of you like/love the new Configmgr 2007 aka SCCM 2007 admin console? You can lower your hands again now. But I can only assume that a lot of you waved enthusiastically, because the new console is a wonderful thing. 


Let’s have a quick overview of the new things I really like about the new console:

  • Search folders; Search folders are a great way to organize different objects (Packages, Advertisements, Update repository, boot Images, Computer associations, Os images, Os install packages, Task sequences, drivers, driver packages, Software Metering, Reports, Configuration Baselines, Configuration Items, Queries, Mobile Device mgmt\Configuration packages). This is going to make life a lot easier for people that try and keep their admin console organized.
  • Search bar; if your one of those people that does not really believe in keeping things organized but rather search through a pile of objects than you can do that to.
  • Sort actually works reliably; You can now sort on any field in the console, and will really sort it :-)
  • Drag & Drop; To help you in keeping things organized you can now drag & drop your items in the relevant folder, which beats the old Move folder items wizard, that I never found to be very intuitive.
  • Folders replicate down; Folders are replicated down the hierarchy, so if you do organize your items, they will still be in the same folders.
  • Homepages; Homepages give you a quick overview of the status of a certain feature if you select the root hive of that feature.
  • The direct membership wizard in collections finally defaults to system resources.

Now, one thing I don’t like about the new console is that most of the wizards now come with a welcome page, and there is no button to disable this. I am all in favor of some decent hospitality, but I don’t need to be welcomed over and over again. One of the most important features of the Sccm 2007 admin console though is the fact that is fully customizable and extendable. The Configmgr 2007 SDK that is currently in beta, has some great info on howto extend the Admin console with new functionality.


The console is also customizable because it stores a lot of its configuration in xml files. What I did was I took advantage of this fact, and edited all xml files that had the word wizard in their filename, and subsequently searched through those to find the wizards that had a Welcome page. I then opened them up one by one and deleted the Welcome page from the wizards XML-File. The files that I adjusted are:



The files were then copied in the C:\Program Files\Microsoft Configuration Manager\AdminUI\XmlStorage\Forms folder. Make sure you close the SCCM 2007 console before you copy these files.


Warning – MAKE SURE YOU TAKE A BACKUP OF THE ORIGINAL XML FILES. The AUTHOR will not be held responsible for any issues that may occur as a result of using these steps to modify the Configmgr admin console!!!


Enjoy, and as usual you can find me in the Microsoft.public.sms.* newsgroups!

Technorati Tags: , , ,

Everyone is an expert at something”

Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Figuring out the collectionid for Linked collections in SMS 2003.

9:00 am in ConfigMgr 2007, SCCM 2007, SMS, Sms 2003 by The WMI guy

This week someone in the newsgroups asked a question about how to create a collection excluding members from another collection. The answer to that question is based on the knowledge that every collection you make in Sms or Configmgr 2007 aka Sccm creates its own wmi class. The class will be named sms_cm_res_coll_collectionid.

So the answer to the question becomes something like

1) Create your collection

2) Add a query based membership rule to your collection

3) Edit the query statement of the collection

4) On the criteria tab add a criteria

5) For the attribute class select System Resource, and use Resource Id for the attribute

6) For the criteria type use subselect

7) For the operator select “Not In”

8) In the query box type select resourceid from sms_cm_res_coll_collectionid.

EDIT: Janne Mansnerus  kindly pointed out that this didn’t work, the original post specified the query as sms_cm_ress_coll_collectionid. In reality the class is called sms_cm_res_coll_collectionid. So res with single s instead or ress.


This all works fine, with one difficulty to overcome, you need to figure out the collection id, and that is not as easy as it could be, especially if you need the collectionid of a linked collection. That’s why I have created a prompted query to easily find the collectionid based on the collection name. Here is how you create the query.

1) Go to queries

2) Right-click and select new query

3) Make sure you specify <unspecified> in the Object type dialog.

4) Press the Edit Query button

5) Paste the following query in the Query statement box that opens up:

select collectionid, name from sms_collection where name like ##PRM:SMS_collection.Name##

Note: You can use the _ and % wildcard signs when you input the collection name.

Note2: This query is no longer necessary once you migrate to SCCM 2007, the new admin UI in Configmgr 2007 has the collectionid written down on the properties page of every collection. The flexible approach by using the sms_cm_ress_coll_collectionid for building collections is still very valid though. This approach is usually used whenever someone is looking for the reverse option of “collection limiting” collections.

Enjoy, and as usual you can find me in the Microsoft.public.sms.* newsgroups!

Everyone is an expert at something”

Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Technorati Tags: , ,


Configmgr 2007 Rtm’s / Configmgr 2009 Wishlist

8:11 am in ConfigMgr 2007, SCCM 2007, SMS by The WMI guy

Hi all,

UPDATED: Removed DP Decommision, this was apparently fixed from what I can see in my lab, great job.

As you probably have read on several  blogs Configmgr 2007 has Rtm’ed in line with the always publicly announced Summer 2007 release date. So in contrast with most products now-a-days that have slipping release dates our Configmgr 2007 delivered right on time. Hey they are even about a month early, well done.

Bill, I assume this means the team can go on vacation till the 20th of september, right?

You can read the official announcement here:

I’ll leave it up to someone else to post about the importance of Microsoft using a blog to get the word of this release out.

You can download the evaluation version here:, and in contrast with previous versions the evaluation version will be fully upgradeable to the full version. General availability is expected early november.

Now that we have this Configmgr 2007 thingy out of the way, it is time to compile our Configmgr 2009 aka SMSV5 wishlists compiled. Since the product team is on vacation till the 20th of september we have about a month to get early feed back in. So I’ll get the bal rolling by publishing mine.


Site Infrastructure:

Multi-tenancy is on the top of my list here. The ability to host multiple customers on one single site. This requires a great deal of work, but would open up Configmgr 2007 to be used in a real hosting scenario. Stuff that probably needs to be taken care of, are “Site Wide Settings”. Easier way of limiting reports to certain collections. Easier way of handling security on sms objects, possibly by using folder security and inheritance.

A way to replicate between Configmgr Sites that does NOT require file sharing. Opening up the Firewall for filesharing usually creates big discussions with the security admins. Please give us an alternate way of connecting sites.

Admin UI:

Object backup & restore to aid in migrating.

Right-click option, to trigger client actions, central way to configure client settings (Client cache size is just one example).


Inventory network devices would be a welcome addition here.

An easier way to add additional information to the inventory of an existing device. EG: be able to add the warranty period by just adding it to resource explorer from with the Admin console.

Software distribution:

Staggering advertisements/ Trickle feed collections, whatever else you want to call this. It is a way to load balance software distributions in a less administration-intensive way.

Postpone software distribution end-user option. This should look closely like the options we have in ITMUv3 where users can postpone the installation of Updates.

Integrate with Vista’s Presentation settings to avoid pop-ups and reboots when users are giving presentations.


Some sort of discovery that can browse entire subnets to find devices without the device needing to have snmp enabled.

An easier way to add devices manually into the Configmgr database.


Allow Task sequences to run as local logged in user. Task sequences are invaluable for a lot of things, one of them being the ability to control which applications get installed in which order, they only have one limitation, they can only run as localsystem, this limitation has to go.


Windows Mobile 6.0 support needs to be added.


Either we change the acronym to be Desired Configuration Monitoring, or we start making work of this actually being Desired Configuration Management. Additional template manifests, to monitor SOx and other regulatory compliancy would be HUGE.

Agree with other Microsoft teams on which SDM/SML version should be used to make sure that these “Manifests” can be used in Configmgr/Opsmgr/Service Manager without any modifications.


Reporting needs to go the SQL Reporting Services route, for consistency with other Microsoft Products and for the added flexibility that SQL Reporting Services brings.

Software Metering:

Complete license management, which means at least the possibility to add the number of licenses you bought to the Config Mgr 2007 database. A way to store the License Keys in a secure fashion would be nice as well.


That’s it for now :-)




Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Planning your CRL Distribution Point for Configmgr 2007 Native mode

1:25 pm in ConfigMgr 2007, SCCM 2007, SMS by The WMI guy

Hi all,


Everyone that has ever done an sms roll-out should know that planning is critical to the success of the project. Now one planning part that might easily get overlooked is planning some portions of the PKI infrastructure. And an important part of planning your pki for Configmgr 2007 is planning the location of your Certificate Revocation List Distribution point.

Let me start by Sketching the problem. Configmgr 2007 Native mode relies on certificates to do the client authentication. Certificate authentication is a very strong authentication method, but it comes with some things you should know about it, to properly use it. One of the things that work different with certificate based authentication is how you disable a certain account from being able to authenticate in the future. This might be necessary because you don’t want the certificate of an end-of-life machine to be mis-used for communication purposes, or because the certificate was compromised. When you use user accounts you can just disable the account and your done. With certificates you need to revoke the certificate AND publish the certificate on the Certificate Revocation List.

If you use a default Windows 2003 PKI then the Certificate Revocation list is by default published in Active Directory and on The Certificate authority website, which is accessible to all authenticated users (Which includes computer accounts). Now, these defaults are fine for Internal clients, but are not accessible in some instances. Internet based clients for instance will not be able to access either of these Crl distribution points (CDP). And they are not the only ones, clients in untrusted forests, workgroups, or even clients that boot from a Configmgr 2007 Boot Image will not be able to access these CDP’s.

The reason why your CDP’s need to be carefully planned is because the list of CDP’s is actually part of the certificate. So once the certificate is rolled out, there is NO WAY to add another CDP on their in an easily automated way without redistributing all your certificates!!!

Clients that are not able to contact the CDP, will fail to communicate if CRL checking is enabled, and will throw an error in the logs called



Now, there are 2 fixes for this:

1) Disable Certificate Revocation List checking. You can do this from within the Configmgr 2007 Console, on the Site Properties Site Mode tab, by clearing the Check Certificate Revocation list checkbox.  (The checkbox is only visible if your site is in Native mode). This obviously is the easiest fix, but lowers your pki, client-certificate based security to an unacceptable level in my humble opinion, and by consequence is only fit for Labo and demonstration purposes.


2) Publish your CDP and make sure it is accessible to Workgroup, internet-based, and untrusted forest clients. This obviously is the proper way of handling this issue. Great, now how de we do that? Well, that could be food for another post. But since the folks over at already created an article about that, which continues into publishing the CDP with Isa Server 2004, I am not going to bother writing it up myself. I will just point you guys to this article




Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Adding a group to the local administrators group

3:24 pm in ConfigMgr 2007, SCCM 2007, SMS, Sms 2003 by The WMI guy

Systems management products often require you to be an administrator on several machines. Sms 2003 and SCCM 2007 are no different in this respect. Microsoft’s systems management product requires administrative privileges on the servers to roll them out as site systems, and on the clients (depending on your client installation method) to push out the client successfully.

Combined with the best practice security principle of “least privilege”, this means creating a group that allows you to easily achieve this permission level without having to be a domain administrator.  You could create a restricted group in group policies for the administrators group and add the members you want to it, but this overwrites all current memberships of the administrators group with the new members you have configured in the gpo. This might be fine on your site servers, where you might exactly know what needs to be in there. But in large environments and on your desktop machines this could become cumbersome.

 Microsoft has updated the restricted group behaviour in Windows 2000 SP4, and has issued a fix for windows xp sp1, to make the “member of” portion of restricted groups more usable. This allows you to create a gpo for a group, and add that group to the local administrators of any machine applying the gpo. It may not be entirely Sms or SCCM related, but I find it is one of these things I do often during my initial installation steps at customer sites, so I think it is a wortwhile topic for a first blog entry.

Step-by-step guide

1) Create 2 groups (I usually use gg_desktopadmins and gg_serveradmins)

2) Create 2 Gpo’s (One to add members to the destkops/laptops and one for the servers (apply the gpo to the relevant ou’s later).

3) Edit the desktop admins gpo

4) Right-click computer configuration\windows settings\restricted groups and select add group

5) Browse for your newly selected group, and click ok a few times.

6) Double click the group in the details pane

7) In the member off section of the dialog box that opens type administrators in the box and press ok a couple of times again.

8) apply the gpo to a test ou.

9) Log into a machine that is a member of the test ou

10) open a dos box and type net localgroup administrators and review the administrators group membership

11) Run gpupdate /force (if it is an xp or 2003, machine or the secedit command if it is an old 2000 machine)

12) Run net localgroup administrators again and if all is well you should see your new group has become a member of the administrators group leaving the old memberships intact.

 More information can be found here:

Note that if you mix restricted groups with the members property and the member off property that results are inpredictable since there is no way of knowing which section will get executed first.


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS