I've read that some engineers have had a hard time in setting this up so that a global group can be used rather than specifying the Site servers computer account(s).

Microsoft has a very good white paper on this procedure:

Active Directory Schema Modification and Publishing for Systems Management Server 2003

However, I wanted to complicate things by:

  • Allowing SMS2003 to manage the container creation rather than doing it manually

  • Restricting the Site servers computer account permissions to the essentials needed to perform the task. Rather than temporarily elevating it to Domain Admins rights
  • Permission against a Global group instead of implicitly specifying the Site server(s) computer account.

Here is how I achieved this:

Prereqs:

  • The Windows 2000 or Windows 2003 Active Directory Schema has been extended successfully

  • A global group referred in this document as the control group has been created in the Active Directory

  • All relevent Site server computer accounts have been added to this control group and the Site servers have been rebooted to collect their updated computer account token

Observe the SITECOMP.LOG (with TRACE32 preferably) on the Site server performing the publishing, for the System Management container and Site server object creation

1.Bring up ADSIEDIT.msc
2.Right click the System container (CN=System) and Select Properties
3.Select the Security Tab
4.Select Add
5.Enter the control group and Select OK
6.Select the control group and Select Advanced
7.Select the control group from the list and Select Edit

Default settings being enforced are:

List Contents
Read All Properties
Read Permissions

8.Tick "Create Container Objects" and Select OK

There should now be two ACE entries in the ACL for the control group

9.Select OK twice
10.Restart the SMS Executive and observe the SITECOMP.LOG for the creation of the System Management container

The SMS Executive will display an Error 5 (Access denied) after attempting to create the Site object in the newly created System Management container. This is expected.

11.Right Select the System Management container (CN=System Management)
12.Select the Security Tab
13.Select Advanced
14.Untick "Allow inheritable permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here"
15.Select Copy
16.At this point you could remove erronous entries from the ACL

This really does depend on the policies laid out by your organisation. Alternatively, retain the defaults.

17.Select Add
18.Enter the control group and Select OK
19.The Permission Entry dialog will appear for the System Management container. Tick the following permissions

List Contents
Read All Properties
Write All Properties
Delete
Read Permissions
Modify Permissions
Modify Owner
All Validated Writes

Create mSSMSSite Objects
Delete mSSMSSite Objects
Create mSSMSManagementPoint Object
Delete mSSMSManagementPoint Object
Create mSSMSRoamingBoundaryRange Object
Delete mSSMSRoamingBoundaryRange Object
Create mSSMSServerLocaterPoint Object
Delete mSSMSServerLocaterPoint Object

20.Select "This object and all child objects" from the Apply onto drop down list
21.Select OK twice
22.At the Permission warning dialog, Select Yes
23.Select OK
24.Right click the System container (CN=System) and Select Properties
25.Select the Security tab and Remove the control group ACE entry
26.Select OK
27.Reboot the Site server to collect the updated computer account token

The SMS-Site-<SITECODE> object will now have been created

Observe the SITECOMP.LOG for the creation of the Site server object


This completes the task