Re: Need help for setting proper security rights

Thanks Cathy for replying. Perhaps I should re-word my problem.
I have been deploying a software (say Software A) using direct membership
(i.e., adding individual computers to the collection) with the SMS admin
account without any problems. Now that I need to assign this task to another
administrator (someone who is not supposed to know the SMS admin account), I
create a special account and set the security settings for this account as
follows:
Collection (All instances) = Create, Delegate
Collection (Software A) = Everything
Package (All instances) = Create, Delegate
Package (Software A) = Everything
Advertisement (All instances) = Create, Delegate
Advertisement (Software A) = Everything
Then, when I add a computer name to the Software A collection using direct
membership, the adding process appears to be working as normal... it can find
the computer name and there is no error message on the screen. But when I go
back to the collection, the computer name simply isn't there.
I have checked the collection evaluator log and don't seem to see anything
unusual. Am I using these security settings correctly? Any suggestions is
appreciated?
Thanks.
Al

"Cathy Moya [MS]" wrote:

> Well, casting about a bit - tell us more about your collections Software A
> and Software B. You say they have the same security settings, but what about
> the configuration of the collection itself? When you say you add someone to
> Software B and they disappear, are you using direct membership or some sort
> of query-based membership? Have you looked at the collection evaluator log?
>
> --
> Cathy Moya, CISSP, MCSE: Security
> Technical Writer, Windows Enterprise Management Division User Assistance
>
> Check out the SMS Technical FAQ:
> http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
> This posting is provided AS IS with no warranties and confers no rights.
>
>
> "helpwanted" <helpwanted@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:7460FA4A-17AE-4D1E-9A57-6599A9D3904A@xxxxxxxxxxxxxxxx
> > We are running SMS 2003 SP1 with Advanced Security.
> > I need to grant security rights to a group of staff so that they can only
> > see and deploy a couple of software packages. Here is what I have set for
> > this group...
> >
> > Collection (All Instances) = Create, Delegate
> > Package (All Instances) = Create, Delegate
> > Advertisement (All Instances) = Create, Delegate
> >
> > Collection (Software A) = Everything (Read, Modify, Delete, ... Read
> > Resource)
> > Package (Software A) = Read, Modify, Delete, Distribute
> > Advertisement (Software A) = Read, Modify, Delete
> >
> > Collection (Software B) = Everything (Read, Modify, Delete, ... Read
> > Resource)
> > Package (Software B) = Read, Modify, Delete, Distribute
> > Advertisement (Software B) = Read, Modify, Delete
> >
> > Security settings for Software A and Software B are exactly the same. As
> > expected, this group can only see these 2 software packages from their
> > admin
> > console. However, when this group adds a member to the collections,
> > Software
> > A works without any problem and gets installed successfully in the member
> > PC.
> > But for software B, the member simply disappears from the collection and
> > there is no error message (either on the screen or from the SMS log
> > files).
> > Can anyone shed some lights? Am I actually doing this wrong?
> > I don't seem to be able to find any docs that is applicable to our
> > situation. Any help is appreciated.
> > Thanks.
> > Al
> >
> >
> >
> >
>
>
>
.

Relevant Pages

  • Re: Need help for setting proper security rights
    ... > membership, the adding process appears to be working as normal... ... Am I using these security settings correctly? ... >> Check out the SMS Technical FAQ: ... this group can only see these 2 software packages from their ...
    (microsoft.public.sms.admin)
  • Re: "access denied" for members of Administrators, stand-alone server
    ... then the explict grant added would have overridden the inherited deny ... surely by indirect membership in related security groups as is the case ... as you say his direct membership in a group that is allowed access ... explict grant overrules inherited deny. ...
    (microsoft.public.windows.server.security)
  • Re: "access denied" for members of Administrators, stand-alone server
    ... then the explict grant added would have overridden the inherited deny ... surely by indirect membership in related security groups as is the case ... as you say his direct membership in a group that is allowed access ... explict grant overrules inherited deny. ...
    (microsoft.public.windows.server.security)
  • Re: "access denied" for members of Administrators, stand-alone server
    ... then the explict grant added would have overridden the inherited deny ... surely by indirect membership in related security groups as is the case ... as you say his direct membership in a group that is allowed access ... explict grant overrules inherited deny. ...
    (microsoft.public.windows.server.security)
  • Re: "access denied" for members of Administrators, stand-alone server
    ... any account login session based on the local login user right). ... then the explict grant added would have overridden the inherited deny ... as is the case for direct membership. ... as you say his direct membership in a group that is allowed access were ...
    (microsoft.public.windows.server.security)