Share via

Setting Up a new FEP Administrator

  • Article

The question has come up revolving around what permissions a FEP administrator needs in the ConfigMgr 2007 console, and whether the console can be 'locked down' to keep the FEP Admin from making accidental changes in the environment. I've listed the permissions you need in ConfigMgr to manage FEP, and have been working on customizing the ConfigMgr MMC so that only FEP items are displayed.

Working with the MMC snap-in, I've found that it's possible to provide a minimal set of tools for a FEP Admin. However keep two things in mind:

  • First, you will need to set up this minimal console on its own system, as the ConfigMgr console will only be suitable for managing FEP, and the view changes appear to be universal on the system.
  • Secondly, this shouldn't be considered a security lockdown, because it isn't. Nothing would prevent the FEP Admin from going into MMC and reloading the System Center Configuration Manager snap-in with the full tree view.

Keeping all that in mind, it's pretty straightforward to set up. Setting this up requires three steps.  

  1. Provision your FEP Admin in ConfigMgr.
  2. Install the ConfigMgr console and FEP extensions on your FEP Admin's computer.
  3. Create a custom MMC console for your FEP Admin.

Provision your FEP Admin in ConfigMgr

  1. Log onto your ConfigMgr console as a full SMSAdmin with full ConfigMgr permissions.
  2. Drill down under the Site Database, Security Rights, to Users.
  3. Click Manage ConfigMgr Users on either the Action pane or the right-click menu of the Users node.
  4. Click Next on the Welcome screen.
  5. Select the radio button to Add a new user, and type in the users domain\username, and then click Next.
  6. Click the radio button to Add another right or modify an existing one.
  7. In the Add Right screen, select each Class listed below, check the box to add the required Rights, and then click Next. You will need to repeat this step for each Class. These are the minimum permissions required to administer FEP. (Do not confuse these with the minimum permissions to install FEP, which requires full SMSAdmin permissions)
    1. Advertisement - Create, Delete, Manage Folders, Modify, Read
    2. Collection - Administer, Advertise, Create, Delete, Delete resource, Modify, Modify Collection Settings, Modify resource, Read, Read resource
    3. Configuration Item - Create, Delete, Distribute, Manage Folders, Modify, Read
    4. Package - Administer, Create, Delete, Distribute, Manage Folders, Modify, Read
    5. Site - Administer, Manage Status filter, Modify, Read
  8. When you're done, your permissions should look something like this:
  9. Click Next, click Next again, and then click Close.
  10. This should also add your user to the local user group SMSAdmins. If something goes wrong or the permissions don't work like they should, make sure your user is a member of this group. Also worth noting is that when I completed these steps, the permission changes didn't take right away. I got "Access Denied" the first couple of times I tried opening the console under my provisioned FEP Admin account. Things started working normally inside five minutes without any additional effort on my part.

At this point, your FEP admin can log into the ConfigMgr console, and manage FEP. If that's all you need, great. But the FEP Admin will also have access to many other areas in the production ConfigMgr console, and you may want to mitigate the risk of unintended changes by the FEP Admin. The rest of these instructions deal with setting the FEP Admin up on his own system, and limiting his console options only to the things he needs to administer FEP.

Install the ConfigMgr console and FEP extensions on your FEP Admin's computer

I'm not actually going to go into a lot of detail on this step. You need to install the ConfigMgr 2007 console on the FEP Admin's computer. Make sure it is at SP2 and at least R2, and don't forget Configuration Manager Hotfix KB2271736. Then run FEP server setup to install only the console extensions on the system.

**Create a custom MMC console for your FEP Admin
**

  1. On the FEP Admin's system, click Start, type in MMC, and then hit Enter.
  2. Click File, then click Add/Remove Snap-ins.
  3. In the Available snap-ins list, click System Center Configuration Manager, and then click Add.
  4. On the Welcome screen, click Next.
  5. On the Locate Site Database screen, provide the name of the site server where you have installed FEP server, and then select the radio button for Select console tree items to be loaded (custom). Then click Next.
  6. Remove ALL of the check boxes in the Console Tree Items list. Then expand Computer Management and then click the check box next to Collections. NOTE: The FEP node doesn't show up in this list, it will show up when you select Collections. Click Finish, and then click OK.
  7. Click File, and then click Save As. Save to the desktop and name your MMC FEPAdminConsole or whatever pleases you.

NOTE: You can either have a minimal console or a full console on one machine, which is the reason we've installed the ConfigMgr console on a separate box  for the FEP Admin in this scenario. Changes made to the snap-in view are reflected in the ConfigMgr console, and changes made in the ConfigMgr console are reflected in the snap-in view, in my testing on Windows Server 2008. So the solution here is a dedicated, minimal console for a FEP Admin.

Your FEP Admin now has a console that is as minimalistic as possible. Realize that this is not a security enforced lockdown of the console. Nothing prevents the FEP Admin from unloading the snap-in, and then reloading it with all the console items. This would be more of a convenience or safety precaution, so that the FEP Admin doesn't accidently make unintended changes, or if the FEP Admin would prefer only to fiew the FEP information in the ConfigMgr console.