Provision your FEP Admin in ConfigMgr
At this point, your FEP admin can log into the ConfigMgr console, and manage FEP. If that's all you need, great. But the FEP Admin will also have access to many other areas in the production ConfigMgr console, and you may want to mitigate the risk of unintended
changes by the FEP Admin. The rest of these instructions deal with setting the FEP Admin up on his own system, and limiting his console options only to the things he needs to administer FEP.
I'm not actually going to go into a lot of detail on this step. You need to install the ConfigMgr 2007 console on the FEP Admin's computer. Make sure it is at SP2 and at least R2, and don't forget Configuration Manager Hotfix
KB2271736. Then run FEP server setup to install only the console extensions on the system.
Create a custom MMC console for your FEP Admin
NOTE: You can either have a minimal console or a full console on one machine, which is the reason we've installed the ConfigMgr console on a separate box for the FEP Admin in this scenario. Changes made to the snap-in view are reflected
in the ConfigMgr console, and changes made in the ConfigMgr console are reflected in the snap-in view, in my testing on Windows Server 2008. So the solution here is a dedicated, minimal console for a FEP Admin.
Your FEP Admin now has a console that is as minimalistic as possible. Realize that
this is not a security enforced lockdown of the console. Nothing prevents the FEP Admin from unloading the snap-in, and then reloading it with all the console items. This would be more of a convenience or safety precaution, so that
the FEP Admin doesn't accidently make unintended changes, or if the FEP Admin would prefer only to fiew the FEP information in the ConfigMgr console.
After going through this article, my new FEP administrator was unable to to do a full FEP scan on a machine. The message was "The following FEP operation failed, click details for more information", upon clicking details, the results are "No details are available". I believe it's permissions but not sure which one.
Can you post this question over in the Forum? (social.technet.microsoft.com/.../threads). The TN Wiki is not a great platform for discussions about issues.
When you ask the question in the forum, be sure to include details about how the FEP admin is initiating the scan.