Hello,
We manage a CAS and 4 Primary Sites. We want to restrict administrators from using the console to connect to the Primary sites and only connect to the CAS for administration.
Is this possible?
Thanks in a
Technology Tips and News
Hello,
We manage a CAS and 4 Primary Sites. We want to restrict administrators from using the console to connect to the Primary sites and only connect to the CAS for administration.
Is this possible?
Thanks in a
To keep the work load on our primaries down to a minimum and in the event we have to reboot a box, know if all or only a few SCCM admins may need to restart the console. Also for picky/cosmetic reasons, to keep the prefixes of all our collection IDs and package IDs the same.
Hi Mike,
Define administrators. Do you mean ConfigMgr administrators, local administrators, etc?
Typically, to accomplish something like this, you'd need to have a terminal server with the ConfigMgr console installed on it and allow remote access to all users/groups who would need to connect to ConfigMgr, also ensuring they are in the SMS Admins group on the CAS site server (or local administrators group). To restrict them from accessing the primary sites via the console, you would remove those users/groups from the SMS Admins group on the primary site servers. This will effectively remove their DCOM permissions and they will not be able to connect to the SMS Provider on the primary site servers via the console. However, if those users/groups are part of the local administrators group on the primary site servers, this will have no effect as local admins have DCOM permissions.
http://technet.microsoft.com/en-us/library/hh427336.aspx#BKMK_ConfigDCOMforRemoteConsole
-Matt
Hi Mike,
Define administrators. Do you mean ConfigMgr administrators, local administrators, etc?
Typically, to accomplish something like this, you'd need to have a terminal server with the ConfigMgr console installed on it and allow remote access to all users/groups who would need to connect to ConfigMgr, also ensuring they are in the SMS Admins group on the CAS site server (or local administrators group). To restrict them from accessing the primary sites via the console, you would remove those users/groups from the SMS Admins group on the primary site servers. This will effectively remove their DCOM permissions and they will not be able to connect to the SMS Provider on the primary site servers via the console. However, if those users/groups are part of the local administrators group on the primary site servers, this will have no effect as local admins have DCOM permissions.
http://technet.microsoft.com/en-us/library/hh427336.aspx#BKMK_ConfigDCOMforRemoteConsole
-Matt