MORE INFORMATION
Overview of the Systems Management Server 2003 client
SMS 2003 clients on computers that are running Microsoft Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003 can run programs in one of the following security contexts:
- User account
- Service account
For the SMS 2003 Legacy client, the SMS 2003 Software Installation account has administrative rights on the SMS 2003 Legacy client computer. You can use this account to run advertised programs on client computers and to have access to specific non-SMS network resources when no user is logged on or the current logged-on user does not have administrative permissions to run the advertised program.
The SMS 2003 Legacy Client Software Installation account must have the following attributes:
- Access to the required network resources.
- Access to the SMS 2003 distribution point share and directories for the package.
The SMS 2003 client components grant certain user rights and membership in the local Administrators group to the Legacy Client Software Installation account when a client runs a program that requires administrative rights. This membership and the user rights are removed when the program is completed.
To access packages, clients can use one of the following methods:
- User account in user context.
- Network Installation account otherwise on the Advanced client.
- Legacy Client Software Installation account otherwise on the Legacy client.
Note For security reasons, do not grant the Legacy Client Software Installation account any rights on client computers directly or through group membership.
Advertisements
Advertisements that are intended to run in the context of the logged-on user have only the credentials of the user. Such advertisements use the user's credentials to connect to the distribution point. If the user does not have administrative credentials, advertisements that require administrator credentials run in a security context that is similar to a service account with the Client User Token account on Legacy clients. The Client User Token account is dynamically added to the local Administrators group as required and has the
Act as part of the operating system right. If the Client User Token account was added, it is removed when the task is completed.
Distribution points
To access distribution points, an SMS 2003 Legacy client uses the Network abstraction layer (NAL) to find an existing connection to the package share on a distribution point. If a connection exists, the client uses the connection regardless of what credentials were provided.
For both the SMS 2003 Legacy and the SMS 2003 Advanced clients, if the client cannot find an existing connection to the server and the share, the client tries to use the security context of the user who is logged on to the client computer to connect to the distribution point.
If the client cannot connect to the distribution point by using the context of the user account, the SMS 2003 client tries to connect by using all the SMS Client Connection accounts that are available for the site for the Legacy client, or by using the Advanced Client Network Access account for the Advanced client.
Note When you turn on the
Download program from distribution point option for the advertised package, the program is downloaded to the SMS 2003 Advanced client computer. Anyone can run the program if the package remains in the download cache. Also, a user can copy the files to a folder or share that other users can use. If unauthorized people must not be able to use the files, do not turn on the
Download program from distribution point option for the Advertised program for those packages.
Package installation
By default, SMS 2003 first tries to use the context of the current user account to install all advertised packages. If the user does not have correct permissions to successfully run the program, SMS 2003 uses the Software Installation account to install the software on the SMS 2003 client computer.
For both the SMS 2003 Legacy client and the SMS 2003 Advanced client that run Windows Installer packages that require administrative rights, SMS 2003 uses the Windows Installer elevated rights to install the program on the client.