次の方法で共有

Security Considerations - Controlling Access (Part 1 of 2)

  • [アーティクル]

Anyone who has installed OpsMgr knows there is a setup option to choose what computer group will contain all OpsMgr Administrators. By default, it is the local Administrators group which means all Domain Administrators, by default, have administrative access to the Management Group. Designate your own group to host OpsMgr Administrators. It will make managing access much easier and will provide a template for managing other access such as Advanced Operators and Authors. The outline below is just a suggestion and is not necessary but my clients have found it very useful.

Leveraging Active Directory for OpsMgr Access:

1. Before installing OpsMgr, create a Global Security Group in Active Directory. Lets call it 'OpsMgr Administrators' or something similar. I first created an OU call 'OpsMgr Roles' and then created four sub OUs named 'Administrators', 'Advanced Operators', 'Authors' and 'Operators'. So now in the OU named 'Administrators', create a Global Security Group called 'OpsMgr Admins'. Now do the same for the other roles. 'OpsMgr Adv Ops', 'OPsMgr Authors' and 'OpsMgr Ops'. 

2. On the RMS, create a local computer group called 'OpsMgr Administrators'.

3. During the install of OpsMgr, in the Management Group configuration screen, be sure to select 'OpsMgr Administrators' under 'Configure MOM Administrators'.

          image

4. After the installation is complete, launch the Operations Console and go to 'Administration /  Security / User Roles' and right-click on 'Operations Manager Administrators' and choose 'Properties'. You will see 'servername\OpsMgr Administrators' under 'User role members:'

          image

5. Repeat the above steps for 'Operations Manager Advanced Operators' but you will see nothing listed under 'User role members:' Click on 'Add' and enter 'OpsMgr Adv Ops':

         image

6. Repeat for 'Authors' and 'Operators'.

7. Now if you do not populate the 'OpsMgr Administrators' global security group, you will not be able to launch the console. Be sure to add the appropriate accounts. Identify who your other users are and their appropriate access needs.

Please note that you create and customize User Roles too. The ones defined here are just default and are built into the product. I will demonstrate this in Part 2 of this blog: Security Considerations - Implmenting Custom User Roles

Conclusion

You have now build the necessary framework to administer and maintain customer user access to OpsMgr while minimizing administration and reducing complexity.

Additional Notes:

1. I am not sure if this fits in with AD Best Practices. If it does not,my bad.

2. If you RDP into a remote server to launch the console, be sure the user account is a member of the Remote Desktop Users