locked
Only allow console to connect to the CAS, disallow the console to connect to Primary RRS feed

  • Question

  • Hello,

    We manage a CAS and 4 Primary Sites.  We want to restrict administrators from using the console to connect to the Primary sites and only connect to the CAS for administration.

    Is this possible?

    Thanks in advance


    Mike

    Monday, April 7, 2014 2:33 PM

Answers

  • Hi Mike,

    Define administrators.  Do you mean ConfigMgr administrators, local administrators, etc?

    Typically, to accomplish something like this, you'd need to have a terminal server with the ConfigMgr console installed on it and allow remote access to all users/groups who would need to connect to ConfigMgr, also ensuring they are in the SMS Admins group on the CAS site server (or local administrators group).  To restrict them from accessing the primary sites via the console, you would remove those users/groups from the SMS Admins group on the primary site servers.  This will effectively remove their DCOM permissions and they will not be able to connect to the SMS Provider on the primary site servers via the console.  However, if those users/groups are part of the local administrators group on the primary site servers, this will have no effect as local admins have DCOM permissions.

    http://technet.microsoft.com/en-us/library/hh427336.aspx#BKMK_ConfigDCOMforRemoteConsole

    -Matt

    • Marked as answer by MikeV-814 Tuesday, April 8, 2014 12:26 PM
    Monday, April 7, 2014 8:50 PM

All replies

  • It basically does not matter where the console is connected to (although all administration should be done on the CAS). What's wrong if someone connects to a primary?

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, April 7, 2014 6:18 PM
  • To keep the work load on our primaries down to a minimum and in the event we have to reboot a box, know if all or only a few SCCM admins may need to restart the console.  Also for picky/cosmetic reasons, to keep the prefixes of all our collection IDs and package IDs the same.


    Mike

    Monday, April 7, 2014 7:01 PM
  • Hi Mike,

    Define administrators.  Do you mean ConfigMgr administrators, local administrators, etc?

    Typically, to accomplish something like this, you'd need to have a terminal server with the ConfigMgr console installed on it and allow remote access to all users/groups who would need to connect to ConfigMgr, also ensuring they are in the SMS Admins group on the CAS site server (or local administrators group).  To restrict them from accessing the primary sites via the console, you would remove those users/groups from the SMS Admins group on the primary site servers.  This will effectively remove their DCOM permissions and they will not be able to connect to the SMS Provider on the primary site servers via the console.  However, if those users/groups are part of the local administrators group on the primary site servers, this will have no effect as local admins have DCOM permissions.

    http://technet.microsoft.com/en-us/library/hh427336.aspx#BKMK_ConfigDCOMforRemoteConsole

    -Matt

    • Marked as answer by MikeV-814 Tuesday, April 8, 2014 12:26 PM
    Monday, April 7, 2014 8:50 PM
  • Thank you for your help.  I tested this in our test environment and it worked as expected.  Our SCCM Administrators (our customers) are not local administrators on the boxes.

    Mike

    Tuesday, April 8, 2014 12:28 PM