Hello,
We manage a CAS and 4 Primary Sites. We want to restrict administrators from using the console to connect to the Primary sites and only connect to the CAS for administration.
Is this possible?
Thanks in a
Only allow console to connect to the CAS, disallow the console to connect to Primary
April 7th, 2014 10:38am
It basically does not matter where the console is connected to (although all administration should be done on the CAS). What's wrong if someone connects to a primary?
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2014 2:22pm
To keep the work load on our primaries down to a minimum and in the event we have to reboot a box, know if all or only a few SCCM admins may need to restart the console. Also for picky/cosmetic reasons, to keep the prefixes of all our collection IDs and package IDs the same.
April 7th, 2014 3:06pm
Hi Mike,
Define administrators. Do you mean ConfigMgr administrators, local administrators, etc?
Typically, to accomplish something like this, you'd need to have a terminal server with the ConfigMgr console installed on it and allow remote access to all users/groups who would need to connect to ConfigMgr, also ensuring they are in the SMS Admins group on the CAS site server (or local administrators group). To restrict them from accessing the primary sites via the console, you would remove those users/groups from the SMS Admins group on the primary site servers. This will effectively remove their DCOM permissions and they will not be able to connect to the SMS Provider on the primary site servers via the console. However, if those users/groups are part of the local administrators group on the primary site servers, this will have no effect as local admins have DCOM permissions.
http://technet.microsoft.com/en-us/library/hh427336.aspx#BKMK_ConfigDCOMforRemoteConsole
-Matt
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2014 4:54pm
Hi Mike,
Define administrators. Do you mean ConfigMgr administrators, local administrators, etc?
Typically, to accomplish something like this, you'd need to have a terminal server with the ConfigMgr console installed on it and allow remote access to all users/groups who would need to connect to ConfigMgr, also ensuring they are in the SMS Admins group on the CAS site server (or local administrators group). To restrict them from accessing the primary sites via the console, you would remove those users/groups from the SMS Admins group on the primary site servers. This will effectively remove their DCOM permissions and they will not be able to connect to the SMS Provider on the primary site servers via the console. However, if those users/groups are part of the local administrators group on the primary site servers, this will have no effect as local admins have DCOM permissions.
http://technet.microsoft.com/en-us/library/hh427336.aspx#BKMK_ConfigDCOMforRemoteConsole
-Matt
- Marked as answer by MikeV-814 23 hours 17 minutes ago
April 7th, 2014 11:50pm
Thank you for your help. I tested this in our test environment and it worked as expected. Our SCCM Administrators (our customers) are not local administrators on the boxes.
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2014 8:05am
This topic is archived. No further replies will be accepted.
Other recent topics
