I have installed SCCM 2012 SP2 SMS admin security created on SCCM server under local users and groups- groups it is expected behaviour? Second question what is difference between SMS admin security group and SCCM built in security roles?

t provides its members with access to the SMS Provider, through WMI. Access to the SMS Provider is required for viewing and modifying SMS security objects and data in the SMS Administrator console, or in other similar tools.

The group is created on the site server and on the computer running the SMS Provider. If SMS and SQL Server are on the same computer, that computer runs the SMS Provider and the group is created on that computer. If SQL Server is on a remote computer, the SMS Provider location was determined during installation. If the provider was installed on the remote computer running SQL Server, an additional SMS Administrators group is created there.

If the SMS Provider computer is a member server, SMS Admins is a local group. If the SMS Provider computer is a domain controller, SMS Admins is a domain local group.

Anyone who needs to access the SMS Administrator console, but does not need to be a member of the local Administrators group on the SMS provider computer.

When granting rights to accounts, you can assign permissions to users, local groups, global groups, universal groups, and nested global groups. However, all accounts that have SMS object security rights must also have access to the SMS WMI namespaces. If your users are members of global or universal groups, you can nest the global or universal group in the local SMS Administrators group.

Best Regards,

Udo

• Proposed as answer by Jason SandysMVP 18 hours 40 minutes ago

@Jumpnav - https://social.technet.microsoft.com/Forums/en-US/02156a1e-4efe-4934-be99-1a6b629db14b/sccm-built-in-security-groups?forum=configmanagergeneral#02156a1e-4efe-4934-be99-1a6b629db14b

t provides its members with access to the SMS Provider, through WMI. Access to the SMS Provider is required for viewing and modifying SMS security objects and data in the SMS Administrator console, or in other similar tools.

The group is created on the site server and on the computer running the SMS Provider. If SMS and SQL Server are on the same computer, that computer runs the SMS Provider and the group is created on that computer. If SQL Server is on a remote computer, the SMS Provider location was determined during installation. If the provider was installed on the remote computer running SQL Server, an additional SMS Administrators group is created there.

If the SMS Provider computer is a member server, SMS Admins is a local group. If the SMS Provider computer is a domain controller, SMS Admins is a domain local group.

Anyone who needs to access the SMS Administrator console, but does not need to be a member of the local Administrators group on the SMS provider computer.

When granting rights to accounts, you can assign permissions to users, local groups, global groups, universal groups, and nested global groups. However, all accounts that have SMS object security rights must also have access to the SMS WMI namespaces. If your users are members of global or universal groups, you can nest the global or universal group in the local SMS Administrators group.

Best Regards,

Udo

• Proposed as answer by Jason SandysMVP Friday, July 17, 2015 1:08 PM