O R G A N I C / F E R T I L I Z E R: 02.05

Feb 17, 2005

sms security

UPDATE: here's a solution - http://marcusoh.blogspot.com/2005/09/update-on-systems-management-server.html

i'd really like to outline how thoughtless sms security is for an enterprise. without some fanciful scripting, you're really up against a wall trying to delegate permissions. let's take the average company that has split responsibilities of desktop software deployment from the sms infrastructure. here's the scenario:

  • workstations are clients
  • servers are clients

so the first thing you decide is that you want to prevent a desktop jockey from deploying software to a server accidentally by some malformed collection query. in order to do this, you create a collection of only workstations as the root. now here's the problem. if you give desktop jockey the rights to create collections under this collection, there's no way to propagate, for example, the limiting collection (root) by default. this is really where things break down. there is no inheritance in a child collection as defined by the root collection. security doesn't inherit nor does collection limiters. so instead of adding folders to the sms admin console - let's concentrate on adding usable, desired functionality.

Feb 16, 2005

miis

lately i've been fiddling around with miis. i can't for the life of me imagine why the adam management agent can't directly provision accounts. at any rate, i'll post the code here once i get it working and get back to writing articles at some point. there's lots of good stuff that's been uncovered that probably needs to be shared. :)