Windows 2003 SP1 Impacts on SMS 2003 SP1

Due to the changes that service pack 1 makes to Windows 2003 several adjustments were necessary to allow SMS 2003 service pack 1 to operate normally. These changes are all related to DCOM configuration however they will be broken up into two categories. The first category is those changes that would not need to be repeated if a site reset was done and those that would.

Security changes only on server installation
The following changes on the SMS Primary site server will not need to be repeated if a site reset is done.

Add all SMS AD groups to Distributed COM Users
In order to allow non-administrators to connect to the SMS provider with a remote SMS console the AD groups that contain SMS administrators must be added to the Distributed COM Users Local Group on the SMS Primary Site server.

Security changes required to be repeated on Site Reset
The following changes will need to be performed every time a site reset is done.

Modify DCOM permissions on SMS_REPORTING_POINT
In order to allow non-administrative users to access the reporting point the Local Launch and Local Activation permission must be granted to the Local SMS Reporting Group. If this change is not made users will receive an Access Denied message when attempting to access a report regardless of their SMS Reporting object permissions.

In order to make this change open Dcomcnfg on the primary site server, navigate to Component Services, Computers, My Computer, DCOM Config. Right click on SMS_REPORTING_POINT and choose Properties, click on the Security tab and select Customize in the Launch and Activation Permission section. Select the Edit button and add the local group SMS Reporting Point Users with Local Launch and Local Activate permissions.

Modify DCOM permissions on SMS_SERVER_LOCATOR_POINT
In order to allow clients to access the Server Locator Point (SLP) the Local Launch and Local Activation permission must be granted to the Internet Guest Account. In order to tell if this change has been made test the SLP by opening a browser to http://SITESERVERNAME/sms_slp, if the page displays the message “Could Not Initialize” then the change has not been made or there is some other problem with the SLP. If the page displays the message “Bad Query String!” then the SLP is working properly.

In order to make this change open Dcomcnfg on the primary site server, navigate to Component Services, Computers, My Computer, DCOM Config. Right click on SMS_SERVER_LOCATOR_POINT and choose Properties, click on the Security tab and select Customize in the Launch and Activation Permission section. Select the Edit button and add IUSR_ SERVERNAME with Local Launch and Local Activate permissions.

Advertisements

3 Responses

  1. Hi Tim, thanx for this post. You have been very helpful. Regards.

  2. Hi Tim:

    Thanks a million for the post. I helped resolve a client installation issue (capinst.exe) for me. I rolled out a primary SMS 2003 server on a W2003 server, the difference, my production server has SP1 installed, so different security settings for DCOM. The info in your blog resolved my issue.

    Regards

    Spanniker

  3. Hi Tim,
    Man, you are the best. Thanks a million times for this post on SMS 2003 server. I could now see my regional sites PCs as SMS clients. Now I can use our SMS server 2003 to shoot packages to all sites.
    Thanks and keep the good works up.

    Best Regards,
    Abassydo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: