Establishing secure administrator authority to perform Configuration Manager tasks

Configuration Manager 2007 controls access to the console in several ways. Only administrators have rights to files and registry keys that help the Configuration Manager 2007 console run.

About this task

Windows® Management Instrumentation (WMI) also limits access to the SMS Provider role, which is restricted to members of the local SMS Admins group. The local SMS Admins group begins with the user who installs Configuration Manager 2007. Others can access the Common Information Model (CIM) repository and gain SMS Provider rights as they join the SMS Admins group.

Accessing objects in the primary site database also requires permissions. The Local System account and the installer account have access to all objects in the site database. One of those accounts can grant permissions to additional users in the Configuration Manager 2007 console.

See Technet: Understanding Configuration Manager Security for more information.