Saturday, November 12, 2011

Do as I say...

I don't know why it's taken me so long to comment on this.  It's been about a decade since I really became involved with Microsoft SMS and later: Configuration Manager.  The issue I'm referring to is the permissions delegation on the "System Management" container in Active Directory.  The documentation, as well as all of the blogs, white papers, video tutorials and so on, all explain how to create the container, and then delegate permissions to the SMS/ConfigMgr site server account (the computer "$" account) so it can publish schema information to it during the site implementation process.

Well, every single Microsoft exam beats the same mantra into our heads that we should always, always, always use the A-G-Dl-P (or A-G-U-Dl-P) method for granting permissions to resources.  If that's true, we should then create a Domain Local group and a Global group, in which to place the ConfigMgr site server, and nest the group appropriately, and then grant that group permissions to the container.  But they don't.  When I asked a Microsoft engineer about this years ago he scratched his head (literally) and looked confused.  Then he responded: "I don't know.  I suppose it provides greater security since you don't have to worry about someone adding an unauthorized account to the global or domain local group."  That surprised me a bit.  I was about to respond to that with "Sooo...... the A-G-D-P method isn't as secure as direct assignment?" but we were interrupted.  It's a trivial issue, I know, but it's just something I had to mention.

No comments: