Windows Networking Logon Client Installation requires domain administrator permissions to create logon points (816292)
The information in this article applies to:
- Microsoft Systems Management Server 2.0
SYMPTOMSIn Systems Management Server (SMS) 2.0 Service Pack 4 (SP4) and earlier, you must have domain administrator rights to enable Windows Networking Logon Client Installation and to create SMS logon points. With these permissions, you must maintain additional high-level accounts that might present security risks. However, after logon points are created, low-level domain user rights are sufficient to successfully access the logon point for inventory and package-status reporting.CAUSEIn SMS 2.0 SP4 and earlier, when Windows Networking Logon Client Installation is enabled, Logon Server Manager (LSM) connects to the Admin$ share of a domain controller to create the logon point directory structure. Administrative credentials are required to connect to the Admin$ share of a computer.RESOLUTIONWith SMS 2.0 Service Pack 5 (SP5), you can enable a security mode where Windows Networking Logon Client Installation no longer requires domain administrator credentials to maintain Logon Points. If the security mode is enabled, LSM will make the connection to the IPC$ share of the domain controllers to maintain the SMSLogon directory structure. To enable the security mode, follow these steps: - Apply SMS 2.0 Service Pack 5.0.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\SMS_NT_LOGON_SERVER_MANAGER\Domains\domain\Security Mode Enabled Set this value to 1. - Use administrative credentials to create the SMSLogon folder and share on each domain controller. Set the share comment to "SMS NT logon service."
- Set the following NTFS file system permissions on the SMSlogon folder:
Account | F | M | RX | L | R | W | S | SMS Service or Site System Connection account | X | | | | | | | Users | | | X | X | X | | |
Note To simplify management of the NTFS permissions, create a domain group, grant permissions to this group, and then add SMS Service accounts or SMS Site System Connection accounts to the group.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type: | Minor | Last Reviewed: | 7/8/2005 |
---|
Keywords: | kbprb kbusage kbSysSettings kbSecurity kbSMS200preSP5fix kbfix kbBug KB816292 |
---|
|