Special Edition, Using Microsoft BackOffice, Ch. 27

27 - The Role of the SMS Administrator

by Don Benage

  • How to define packages to automate software installation - Learn how to create packages that can be used to automate the process of distributing and installing computer software. Find out how to create packages for applications that will be installed directly on client workstations, or to be installed as a shared, server-based application.

  • How to create jobs to implement the packages you have defined - Find out how to create jobs that will activate your packages and initiate their actual distribution and installation. Learn about the different types of jobs and the various options that control their behavior.

  • How to control access to SMS tools and features - Find out how to prevent malicious or accidental use of the powerful capabilities provided by SMS. Explore the features of the SMS Security Manager and learn how to assign various roles to different administrative personnel.

  • How to use the Help Desk features to control remote workstations - Explore the Help Desk features provided by SMS including Remote Control, Remote Chat, and Remote Reboot. Learn how to configure workstations to enable these features and how to disable remote control of workstations that do not want to be accessed.

  • How to use the Network Monitor - SMS includes a protocol analysis utility called the Network Monitor. Learn how to use this tool to capture network packets and analyze the traffic on your network.


The role of the Systems Management Server (SMS) administrator is unique. It is often mistakenly assumed to be little more than a glorified software installer. On a large network, this could not be farther from the truth. The SMS administrator certainly needs to understand software installation - it is generally difficult to automate something that you don't already know how to do manually. The successful SMS administrator also needs a strong background in Windows NT network administration and setting up communications links for wide area networks (WANs). In addition, because SMS uses SQL Server to store its site database, the SMS administrator may need to double as the database administrator (DBA) as well.

Of course in a large network environment where all these skills are required, there is usually a team of individuals working together to support the environment. It is important to recognize, however, that all these skills must be available when SMS administrative tasks are carried out. If you do not possess all these skills yourself, it is prudent to seek assistance from other members of the support team to complete some tasks. You may also find it useful to review the material on Windows NT Server, SQL Server, and other Microsoft BackOffice components provided in other chapters of this book if you have not already done so. In addition, the manuals and on-line reference materials provided with BackOffice products are valuable resources.

Some of the concerns faced by the SMS administrator are as follows:

  • The impact that automated processes have on server performance and network bandwidth, especially over slow links

  • The disruption of normal user computing routines caused by mandatory processes and inventory scanning or auditing

  • Planning the installation of a new software package or update to occur in stages to minimize the possibility of inflicting problems on a large number of users at the same time

  • Trying to create redundancy in key components of the system to avoid single points of failure

In this chapter, you learn some of the more advanced features of SMS. You learn how to automate the process of software distribution and installation. SMS Security is reviewed, as well as accessing SMS from remote locations using dial-up lines. The Help Desk features of SMS are explored, and procedures for using the Network Monitor protocol analysis tool are provided. Finally, some techniques for monitoring and troubleshooting SMS are discussed.

Defining Packages for Software Distribution and Installation

In Chapter 26, "Implementing SMS," you learned how to create a package and define inventory properties for that package. In this section, you learn how to define properties that tell SMS how to distribute packages and install applications. SMS can be used to distribute any type of information including data files. It is most often used to distribute and install applications, however. Applications can be installed directly on client workstations or set up on a server and shared so that they can be run by users at client workstations over the network. Defining a package is the first step in automating software distribution and installation. The package will not be "activated," however, until you create a job using the package and define a schedule and target for its use. See "Creating Jobs for Software Distribution and Installation," later in this chapter.

Creating Package Source Directories

For either type of software installation package, those that will be installed directly on client workstations and those that will be shared from a server-based installation, you must create a package source directory. This is nothing more than the location of all of the files that make up the package and any installation scripts or programs that are needed. The package source directory can be located on the site server or on a shared directory on another server. It can even be located on a server that is not included in the SMS site. When you define the properties of the package, the topic discussed in the next two sections, you tell SMS where to find the package source directory. You specify the location relative to the location of the Scheduler service. The Scheduler is located on the site server by default. If you have moved the Scheduler, or if the package source directory is not on the site server, you should use a Universal Naming Convention (UNC) name to specify the location of the package source directory.


A UNC name is of the form \\servername\sharename. Additional directories (and subdirectories) can be specified if appropriate. For example, you could specify a UNC name such as \\PRIMSRV\DATA\SCHEDULER.

The package source directory should contain all files that are part of the package itself, as well as any setup program and script files that may be used to automate setup. If the installation of the package uses a script processor (such as MTRUN.EXE, the processor for Microsoft Test version 3.0) this utility can be placed directly in the package source directory, or in the LOGON.SRV\MSTEST directory on the server. In addition, if the package will be defined using one of the Package Definition Files (PDFs) supplied by Microsoft, described in the section "Using Package Definition Files (PDFs)" later in this chapter, the PDF file itself should be copied to the package source directory.

If you are creating a package source directory for a shared network application, follow the network installation instructions for the application. Depending on the application, you may need to create separate package source directories for different client platforms running different operating systems. Some applications will place platform specific configuration files in the source directory as part of the network installation process and would therefore require separate source directories for each platform.


If you are adding Workstation or Sharing properties to a package that has already been defined with other properties, you should proceed carefully. If active jobs use this package, you should not change the name of the package or other properties that might affect the active job. See "Monitoring the Status of Jobs" and "Canceling and Deleting Jobs" later in this chapter for information on how to check the status of an active job and possibly cancel it or remove it from the system.

Run Command on Workstation Packages

On large networks visiting all the client workstations to install new applications or update existing applications can be very time consuming and expensive. In some cases, the cost of installing and maintaining the software may exceed the cost of the computer itself! SMS provides some relief by allowing you to define Run Command on Workstation packages that can be distributed and run on client workstations automatically. You can make these commands mandatory, or allow users to decide for themselves whether they want to run the command. The command may be a Setup program for a software application or a utility such as a virus checker.

To define a Run Command on Workstation package, follow these steps:

  1. Start the SMS Administrator program.

  2. Open the Packages window. Choose File, New from the menu. The Package Properties dialog box appears.

  3. Enter a name for the package in the Name text box. If the package describes an application, it is usually a good idea to use the name of the application itself as the name of the package. Enter a brief description of the package in the Comments: text box.

  4. Click Workstations. The Setup Package for Workstations dialog box appears, as shown in figure 27.1.

    Fig. 27.1 - The Setup Package for Workstations dialog box is used to define properties that will enable this package to be installed on client workstations.

  5. Enter the location of the package source directory in the Source Directory text box. See "Creating Package Source Directories" earlier in this chapter for more information on how to create a package source directory.

  6. You are now ready to define one or more command lines that will apply to this package. These command lines will typically initiate the installation process of a software application, but you can also launch a virus check (for example) or other process. As you define command lines, they will be listed in the Workstation Command Lines list box. Click New to define the first command line. The Command Line Properties dialog box appears (see fig. 27.2).

    Fig. 27.2 - The Command Line Properties dialog box is used to define a command line that can be run on workstations, manually or automatically, that receive this package.

  7. Enter a descriptive name for the command in the Command Name text box. For example, you might name a command Run Widget Setup Program.

  8. Enter the actual command to be executed in the Command Line text box. This command must be a batch file or executable program name with optional command-line switches. The command will be run from the root of the package source directory.

  9. Indicate whether input is required from the user after this command is executed by checking or clearing the Automated Command Line check box.

  10. If the command will run on Windows NT systems without displaying a window or requiring input, check the System (Background) Task check box. This is particularly useful for background tasks that need to be run on unattended servers at remote locations or locked machine rooms. SMS includes a Package Command Manager service for Windows NT systems that can automatically execute such packages.

  11. Click the appropriate check boxes in the Supported Platforms scrolling list box to indicate the operating systems that will support this command. On client workstations that are running selected operating systems, this package will appear in the Package Command Manager application (after you create a Job to activate the package). See "Creating Jobs for Software Distribution and Installation" later in this chapter.

  12. Choose OK to return to the Setup Package for Workstations dialog box. The new command now appears in the Workstation Command Lines list box. If you are done defining command lines, continue with step 14.

  13. You may now add another command line, or edit existing command lines. Click New to add an additional command line, or select a command line in the Workstation Command Lines list box and click Properties. Return to step 7 and continue.

  14. Choose Close to return to the Package Properties dialog box. Click OK to update the package's new Workstation properties.

Share on Server Packages

An alternative to distributing packages to be installed directly on client workstations is to install them on servers and share them for access over the network. SMS automates the process of compressing packages and distributing them to sites, decompressing the packages and placing them on distribution servers, sharing the resulting directories, and providing access to selected groups of users. This type of package can be used to define a job that will distribute any type of files, including data files, in addition to networked applications.

After networked applications have been distributed to file servers and shared, users with sufficient permissions can connect to these locations and execute the applications in the same manner they would use for applications installed using conventional methods. You can compliment Share on Server packages by creating Program Groups using the SMS Administrator, which automatically cause the creation of Program Manager groups on client workstations with icons for the shared applications. The Program Group Control components of SMS, which run on client workstations, will perform this task based on definitions you have made. See "Creating Program Groups for Shared Applications" later in this chapter.

Sharing applications on servers can simplify the task of upgrading to new versions, because the old application is installed only on file servers, not on dozens or hundreds of workstations. Using shared applications does imply that if the network is down, all users requiring the applications will be unable to do their work, but with appropriate engineering and redundancy of key components, this risk can be mitigated.

To create a package for sharing applications on servers, follow these steps:

  1. Start the SMS Administrator program.

  2. Open the Packages window. Choose File, New from the menu. The Package Properties dialog box appears.

  3. Enter a name for the package in the Name text box. If the package describes an application, it is usually a good idea to use the name of the application itself as the name of the package. Enter a brief description of the package in the Comment text box.

  4. Click Sharing. The Setup Properties for Sharing dialog box appears (see fig. 27.3).

    Fig. 27.3 - The Setup Package for Sharing dialog box is used to enter properties that define how to set up a shared, server-based application.

  5. Enter the location of the package source directory in the Source Directory text box. See "Creating Package Source Directories" earlier in this chapter for more information on how to create a package source directory.

  6. Enter a share name of eight characters or less in the Share Name text box. If you are using NetWare file servers, you must enter a volume name and subdirectory as the share name.

  7. Click Access if you want to change the default permissions that will be granted to this network share. By default, Users and Guests are granted Read and Write access. The Access dialog box appears (see fig. 27.4). Click the check boxes reflecting the permissions you want to assign. Click OK to close the Share Access dialog box.

    Fig. 27.4 - The Access dialog box is used to set access permissions for shared applications.


    Users in a Windows NT file server environment refers to the Domain Users global group for Windows NT domains that are part of the target site. Guests refers to the Guests global group. In NetWare environments, Users refers to the default group EVERYONE, and Guests refers to the default user account GUEST.

  8. You are now ready to define one or more program items that will apply to this package. As you define program items, they will be listed in the Program Items list box. Click New to define the first program item. The Program Item Properties dialog box appears (see fig. 27.5).

    Fig. 27.5 - Use the Program Item Properties dialog box to define the shared program's properties.

  9. Enter a description for the program item in the Description text box. This will appear as the name under an icon in the Program Manager or when the application is minimized.

  10. Enter the command line that will be used to start the application in the Command Line text box. You should specify the file name of the executable or batch file that is used to launch the application.

  11. Enter a Registry Name in the text box provided. This name will be used in the registry of the client computer and should be recognizable to aid potential troubleshooting. If you do not make an entry, the SMS package ID will be used, a less than ideal alternative.


    You may want to import some of the PDFs for Microsoft applications provided with SMS to see the registry names defined for those packages. This may provide additional guidance in determining an appropriate registry name for your package. See "Using Package Definition Files (PDFs)" later in this chapter for more information.

  12. If an application requires a setup or installation routine to be run the first time a client uses this network application, enter the command line used to launch that routine in the Configuration Command Line text box.

  13. You will usually want to select the Display Icon in Program Group check box. An exception is the shared Microsoft mini-applications that come with Microsoft Office known as the MSAPPS, or a similar utility package that is always called from another application.

  14. Select the Run Minimized check box if you want the application to be minimized immediately after it is started.

  15. Select the Run Local Copy if Present check box to cause the Program Group Control function on the client workstation to scan the directories in the local path for a copy of this application before running the networked copy.

  16. Select the option button to reflect the type of drive connection required for this application. Some applications don't work well with UNC names, especially older applications. This choice may also be affected by corporate policy. For example, an organization may decide to always use certain letters for particular applications or user's home directories.

  17. Click the check boxes to indicate the operating systems that will support this application.

  18. If you want, click the Change Icon button to select a different icon to display for this application. The Change Icon dialog box appears (see fig. 27.6). Select the file containing the icon you want to use. Click OK to return to the Program Item Properties dialog box.

    Fig. 27.6 - The Change Icon dialog box allows you to select an icon that will be used to launch this application from client workstations.

  19. Choose OK to return to the Setup Package for Sharing dialog box. The new program item now appears in the Program Items list box. If you are done defining program items, continue with step 21.

  20. You may now add another program item or edit existing program items. Click New to add an additional program item, or select a program item in the Program Items list box and click Properties. Return to step 9 and continue.

  21. Choose Close to return to the Package Properties dialog box. Click OK to update the package's new Workstation properties.

Now you know how to define packages. Until you create a job to distribute the package, however, it will not be useful. In the next section, you learn how to complete the process by defining jobs to activate your packages.

Creating Jobs for Software Distribution and Installation

After you have defined a package, you are ready to create a job to distribute your package and put it to work. SMS includes several different types of jobs. Some of the jobs in an SMS system are created by SMS services. These are called system jobs and require no action on your part. You can create jobs of three types:

  • Run Command on Workstation. These jobs compress the contents of the package source directory, send the compressed package to target sites, decompresses the package, place it on specified servers, and make the package available to specified clients. The client workstations that are part of the job target will see the package appear in the Package Command Manager at the scheduled time.

  • Share Package on Server. These jobs also compress the package, send it to target sites, decompress the package, and place it on specified servers. The directories are then shared and made available to the specified users. If desired, a Program Group can be defined to offer the shared packages to specified users with the Program Group Control utility on client workstations.

  • Remove Package from Server. These jobs remove both the compressed packages from receiving site servers and the uncompressed packages from shared directories on distribution servers. It does not remove the original package source directory that you created before defining the package.

The first two types of jobs are the mechanism for distributing and installing software. These jobs consist of a package, a target, a schedule, and additional properties specifying actions for SMS to complete. The target for a job can be one or more sites. It can also be the list of machines that are the results of running a query. You can even create a machine group containing arbitrary computers to use as a job target. If you want to use a query or machine group as a job target, it should be created before you define the job.

Run Command on Workstation Jobs

Run Command on Workstation jobs can be used to start executable files or batch files. They can be used to start an application's setup program, or run a command to perform a task such as a virus checker. These jobs are presented to client workstations using the Package Command Manager client utility program. They can be mandatory jobs that must be run, optional jobs that can be run at the user's preference, or jobs that are optional until a certain date at which time they become mandatory.

To create a Run Command on Workstation job, follow these steps:

  1. Create a package source directory and define a package with Workstation properties. See "Defining Packages for Software Distribution" earlier in the chapter to review how to do this.


    Be sure that the SMS service account has permission to access the package source directory.

  2. Start the SMS Administrator program.

  3. Open the Jobs window. Choose File, New from the menu. The Job Properties dialog box appears, as shown in figure 27.7.

    Fig. 27.7 - The Job Properties dialog box is used to select the type of job, its schedule, and other properties that affect its use.

  4. Enter descriptive information about the job in the Comment text box. This information is only visible to SMS administrators - it is never exposed in a client utility on a user's desktop. The text used in the Package Command Manager comes from the Package Properties dialog box. You can therefore use this comment to store notes about the job without concern for making it understandable to users.

  5. Select Run Command on Workstation from the Job Type drop-down list box.

  6. Click Details. The Job Details dialog box appears (see fig. 27.8).

    Fig. 27.8 - This figure depicts the Job Details dialog box for a Run Command on Workstation job.

  7. Select the package you want to use in the Package drop-down list box.


    Only packages with workstation properties defined will be displayed in the
    Package drop-down list box.

  8. In the Job Target box, you have three option buttons and a check box to specify the clients that should receive this package. Select Query Results if you want to use the list of machines that result from a query. Choose the query in the drop-down list box. Select Machine Group if you would like to use a predefined group of computers as the job target. Choose the machine group in the appropriate drop-down list box. Select Machine Path to specify a path of the form site:domain:computername. You can use the * character as a wildcard. For example GAS:*:* specifies all computers in all domains at the site with a site code of GAS. GAS:INTERNAL:* specifies all computers in the INTERNAL domain at site GAS.

  9. You may also use the Limit to Sites check box and the corresponding drop-down list box to select a specific site. Click the Include subsites box to include subsites of the selected site. You can combine the check boxes with the option boxes in the Job Target box. For example, you could specify all computers that are in a Query result set and are members of a specific site.


    If you specify a machine path using a site code (for example, GAS:*:*) the
    Limit to Sites and Include Subsites check boxes will not have any effect. To use the check boxes, specify a machine path of *:*:*.

  10. In the Send Phase box, select the option button to indicate whether the job should be resent to sites that have already received it. If you have made changes to a previously sent package, select Even If Previously Sent to overwrite the old copy of the compressed package on the site's default package server with a new one.

  11. In the Distribute Phase box, click the Put on Specified Distribution Servers check box and select Default Servers in the drop-down list box. Use the Refresh Existing Distribution Servers check box if you make a change to a package and need to update the decompressed version of the package on file servers.

  12. Finally, make selections in the Run Phase box. If you defined multiple command lines for the package being used, select the command you want to use for this job in the Run Workstation Command drop-down list box. If you clear the Run Workstation Command check box, SMS will distribute the package to sites, but will not offer a command to client workstations in the Package Command Manager.

  13. The next three drop-down list boxes determine when the package will appear on client workstations in the Package Command Manager. If you want to postpone the first date the package will be offered, select the date in the Offer After drop-down list box. If the job should be mandatory, either when the package is initially offered or after an initial period of optional execution, click the Mandatory After check box and select a date. If the package is large, it is a good idea to click the Not Mandatory over Slow Link check box. If the job should expire after a certain date, click the check box and select a date.

  14. Click OK to return to the Job Properties dialog box. Click OK to close the Job Properties box. The job will be added to the SMS database, given a unique job ID, and is now available for execution when the schedule indicates. You can open this job at a later time and click the Status button to check on its progress. See "Monitoring the Status of Jobs" later in this chapter for more information.

Share Package on Server Jobs

There are a few differences in the Job Details dialog box for this type of job, but Share Package on Server jobs have many similar characteristics to the Run Command on Workstation jobs that you just learned about. They are somewhat easier to define because there is no Run Phase box to indicate when the package should be offered to clients (because the job is just placed on servers). Remember that this type of job can be used to distribute a package of data files, or any other type of files for that matter. If the job you are defining is a networked application, recall that you may want to define a Program Group to automatically build a Program Manager group with icons for the application on the Windows desktops of selected groups of users. See "Creating Program Groups for Shared Applications" later in the chapter for more information.

See "Program Group Control," (Ch. 25)

To create a Share Package on Server job, follow these steps:

  1. Create a package source directory and define a package with Workstation properties. See "Defining Packages for Software Distribution and Installation" earlier in this chapter for more information.


    Be sure that the SMS service account has permission to access the package source directory.

  2. Start the SMS Administrator program.

  3. Open the Jobs window. Choose File, New from the menu. The Job Properties dialog box appears (see fig. 27.9).

    Fig. 27.9 - This figure depicts the Job Properties dialog box being used to define a Share Package on Server job.

  4. Enter descriptive information about the job in the Comment text box. This information is only visible to SMS administrators - it is never exposed in a client utility on a user's desktop. The text used in the Package Command Manager comes from the Package Properties dialog box. You can therefore use this comment to store notes about the job without concern for making it understandable to users.

  5. Select Share Package on Server from the Job Type drop-down list box.

  6. Click Details. The Job Details dialog box appears (see fig. 27.10).

    Fig. 27.10 - This figure depicts a Job Details dialog box for a Share Package on Server job.

  7. Select the package you want to use in the Package drop-down list box.


    Only packages with sharing properties defined will be displayed in the
    Package drop-down list box.

  8. In the Job Target box, you may use the Limit to Sites check box and the corresponding drop-down list box to select a specific site. Click the Include subsites box to include subsites of the selected site.

  9. In the Send Phase box, select the option button to indicate whether the job should be resent to sites that have already received it. If you have made changes to a previously sent package, select Even If Previously Sent to overwrite the old copy of the compressed package on the site's default package server with a new one.

  10. In the Distribute Phase box, click the Put on Specified Distribution Servers check box and select Default Servers in the drop-down list box. Use the Refresh Existing Distribution Servers check box if you make a change to a package and need to update the decompressed version of the package on file servers.

  11. Click OK to return to the Job Properties dialog box. Click OK to close the Job Properties box. The job will be added to the SMS database and given a unique job ID, and is now available for execution when the schedule indicates. You can open this job at a later time and click the Status button to check on its progress. See "Monitoring the Status of Jobs" later in this chapter for more information.

Creating Program Groups for Shared Applications

The Program Group Control utility, which runs on clients using the Program Manager as their primary Windows command processor, provides some powerful capabilities. This is another tool that can help the SMS administrator effectively manage the enterprise network. Most of the capabilities it provides will work in either a Windows NT Server or NetWare environment. One of the features, however, is only available in environments running Windows NT Server on the network's file servers.

If you are using Windows NT file servers, SMS will leverage the capability of Windows NT to limit the number of users who can connect to a shared resource at one time. SMS includes two utility programs, APPCTL and APPSTART, that will connect to one of a group of servers offering a particular shared application and start the application. When the application terminates, the network connection will be released. The APPCTL and APPSTART utilities are part of the Program Group Control capability on client workstations. By combining this with the capability to limit connections to a share, you can achieve a limited software metering function.

In addition, the Program Group Control capability allows you to create Program Manager groups that will "follow" users if they move from one computer to another. This can be especially useful for support personnel who visit different computers on the network and may require a suite of troubleshooting utility programs. It is also useful in industrial environments where a population of users shares a group of machines but don't have exclusive use of a particular workstation.

The Program Group Control capability depends on the use of Program Manager, and hence is not available to users of Windows 95, unless they have chosen to use the older style Windows user interface. The shared applications are still available, however, and even Windows 95 users who take advantage of the new user interface will be able to browse for these shared applications in the Network Neighborhood, or connect a drive letter to the share using the toolbar in My Computer.

See "Program Group Control," (Ch. 25)

Program Group Control is dynamic. At regular intervals specified by the client configuration, Program Group Control will check a database to find the program groups that have been defined for a particular user and build program groups in Program Manager. This happens when you initially log on to the network and may be updated throughout the day if you want. The update interval can be set on individual client workstations by an administrator or directly by the user if the default value is unacceptable. The Help Desk features of SMS can be used to set this option for users from a central administrative console if desired. See "Remote Control" later in this chapter for more information.

To define program groups for a package, follow these steps:

  1. Start the SMS Administrator program.

  2. Open the Program Groups window. Choose File, New from the menu. The Program Group Properties dialog box appears (see fig. 27.11).

    Fig. 27.11 - The Program Group Properties dialog box is used to define SMS Program Groups that will provide instructions for client components to dynamically build program groups in the Program Manager on client workstations.

  3. Enter a name for the program group in the Name text box. This name appears at the client workstation as the name of the program group in Program Manager on the client's Windows desktop.

  4. Enter additional descriptive text to describe the program group in the Comments text box. This text does not appear anywhere on the client's desktop, and can therefore be used for administrative notes.

  5. Click Packages. The Program Group Packages dialog box appears (see fig. 27.12).

    Fig. 27.12 - The Program Group Packages dialog box is used to define the packages that will be included in this SMS Program Group.

  6. Select the package you want to add to this program group from the list of available packages in the list box. Click Add to add the package to the list of packages that are members of this group. The package will be added to the Member Packages list box.

  7. Select the package in the Member Packages list box. Any program items that have been shared for this package appear in the Shared Program Items For package list box. You will typically want to make sure that all check boxes are selected, but if you want to exclude a shared program item, clear its check box.

  8. Repeat steps 6 and 7 multiple times to build a program group that has icons for several different packages. When you have added all the packages to the program group, click OK to return to the Program Group Properties dialog box.

  9. Click User Groups to define the groups of users that will be offered this program group. The User Groups dialog box appears (see fig. 27.13).

    Fig. 27.13 - The User Groups dialog box allows you to define the groups of users that will receive this program group (provided that they are using the Program Group Control component on their workstation).

  10. All Windows NT global groups, LAN Manager groups, and NetWare server user groups appear in the Don't Share With These Groups list box. This box lists all groups for the current site and all its subsites. Select a user group that should be offered this program group and click Add. The group's name moves to the Share With These Groups list box. Repeat until all the groups who should see this program group on their desktops have been added. Click OK to return to the Program Group Properties dialog box.

  11. Click OK to close the Program Group Properties dialog box. The site database will be updated, and the program group database will be distributed to the appropriate sites. At that time, users who belong to the designated groups and are running Program Group Control on their Windows desktops will have a program group created dynamically on their desktop.


A user attempts to run an application from an SMS program group and it fails to execute.
The program groups you define and assign to user groups will be created and displayed regardless of whether the corresponding package has been distributed with a Share on Server job. Check to make sure that the Share on Server job has finished. You may want to make sure that such a job has been completed before creating the corresponding program group. See "Monitoring the Status of Jobs" later in this chapter for more information.

Remove Package from Server Jobs

To define a Remove Package from Server job, follow these steps:

  1. Start the SMS Administrator program.

  2. Open the Jobs window. Choose File, New from the menu. The Job Properties dialog box appears (see fig. 27.14).

    Fig. 27.14 - The Job Properties dialog box is depicted during the definition of a Remove Package from Server job.

  3. Enter descriptive information about the job in the Comment text box. This information is only visible to SMS administrators - it is never exposed in a client utility on a user's desktop. The text used in the Package Command Manager comes from the Package Properties dialog box. You can therefore use this comment to store notes about the job without concern for making it understandable to users.

  4. Select Remove Package from Server in the Job Type drop-down list box.

  5. Click Details. The Job Details dialog box appears (see fig. 27.15).

    Fig. 27.15 - This figure shows the Job Details dialog box for a Remove Package from Server job.

  6. Select the package you want to remove in the Package drop-down list box.


    All packages defined in the site database that you logged on to with SMS Administrator will be displayed in the
    Package drop-down list box.

  7. In the Job Target box, you may use the Limit to Sites check box and the corresponding drop-down list box to select a specific site for package removal. If you want to include all sites, select the central site. Click the Include subsites box if you would also like to include the subsites of the selected site.

  8. In the Job Tasks box, select the option button that corresponds to your wishes. You may remove the package from all distribution servers, or only selected servers. If you remove the (uncompressed) package from all distribution servers, the (compressed) package will also be removed from the site server at each target site. If you remove the package from only selected servers, the compressed package will be left intact at site servers for potential redistribution later.

  9. Click OK to return to the Job Properties dialog box. Click OK to close the Job Properties box. The job will be added to the SMS database and given a unique job ID, and is now available for execution when the schedule indicates. You can open this job at a later time and click the Status button to check on its progress. See "Monitoring the Status of Jobs" later in this chapter for more information.

Canceling and Deleting Jobs

The process that SMS follows to complete a job involves multiple steps that occur over a period of time. A particular job may impact many computers at a number of sites. Therefore, some care should be exercised when removing jobs to be sure that you delete the package components from all desired locations.

The simplest case is a pending job or a completed job. A pending job can be deleted, and it will be removed before the distribution process ever occurs. A completed job can be deleted but, of course, the components of the job that have already been installed at servers and clients will not be removed. You can use a Remove Package from Server job to delete shared packages from site servers and distribution servers. You can use a Run Command on Workstation job to deinstall applications from client workstations.

Active jobs should be canceled before being deleted. This causes a Cancel system job to be initiated that will remove the job's instructions from all points where the job's instructions have been distributed. It will not remove components that have already been installed on servers or clients, however. Again, you must use Remove Package from Server jobs and Run Command on Workstation jobs to remove installed components from servers and clients. The steps for checking the status of active jobs are described in section "Monitoring the Status of Jobs" later in this chapter.

To cancel an Active job, follow these steps:

  1. Start the SMS Administrator program.

  2. Open the Jobs window. Select the job you want to cancel.

  3. Choose Edit, Cancel Job from the menu.

  4. Click Yes when prompted to confirm that you want to cancel the job.

To delete a job, follow these steps:

  1. Start the SMS Administrator program.

  2. Open the Jobs window. Select the job you want to delete.

  3. Choose Edit, Delete from the Edit menu.

  4. Click Yes when prompted to confirm that you want to delete the job.

You have now learned how to define packages that can be used to install software on workstations or to set up a shared application on one or more servers. You then learned how to create a job that would "activate" the package and implement it on computers you designate. You also learned how to remove packages, and to cancel and delete jobs.

Using Package Definition Files (PDFs)

In addition to operating systems, Microsoft is the developer of some popular applications. Products like Microsoft Office, Word, and Excel are among the best-selling applications available. They also include sophisticated setup programs that offer a variety of installation types, from minimal to complete. These setup programs can generally be customized by modifying a file that controls setup, which usually has an STF extension. You could attempt to create packages for these applications on your own, but SMS includes Package Definition Files (PDFs) to make the job of automatically distributing and installing these applications easier.

Microsoft has also started including PDFs for new applications on the CD-ROM for the application itself. For example, PDFs have been included on the Office 95 CD (both Professional and Standard Editions) and Word for Windows 95.

Table 27.1 lists many of the applications for which PDFs are available and their associated PDFs:

Table 27.1 Applications with PDFs
ApplicationPDF
Access V2.0AACS200.PDF
Excel V5.0AEXC50A.PDF
Office V4.2A (Standard)OFF42A.PDF
Office V4.3A (Professional)OFP43_.PDF
Office 95 (Standard)OFF95STD.PDF
Office 95 (Professional)OFF95PRO.PDF
PowerPoint V4.0APPT40A.PDF
Project V4.0APRJ40_.PDF
Word for Windows V6.0AWWD60A.PDF
Word for Windows 95WRD95.PDF
Works V3.0WRK30A.PDF


It is a good idea to check the Microsoft Web server (
http://www.microsoft.com), CompuServe, or the Microsoft Network at regular intervals to see if there are new PDFs or other updated information or files. For example, a Knowledge Base article from November 1, 1995 (ID Q135084) describes how to correct problems with the Office 95 Standard Edition and Word for Windows 95 PDFs.

Much of the process for creating packages using PDFs is the same process you would follow to create a package for other applications without a PDF. You must still create a package source directory. You can create a directory that includes the files for both Run Command on Workstation and Share Package on Server packages. To create the package source directory for Microsoft Office, or one of the individual Office applications (for example, Excel), follow these steps:

  1. Create a directory for the application on a server. For example, you might create a directory named EXCEL for Microsoft Excel. Share it with the same name. This becomes the package source directory for the application.


    Instructions regarding MSAPPS, the shared mini-applications for Office, such as those in steps 2 and 4 should only be followed if you are installing a Microsoft application that uses the mini-applications. This includes Word, Excel, and PowerPoint. The mini-applications are a set of utilities that augment the Office products, but cannot run on their own. Word Art and the Equation Editor are examples of mini-applications. These steps are not necessary with applications in general.

  2. On the same server, create a directory named MSAPPS for the Microsoft Mini-applications shared by all Office applications, and share it with the name MSAPPS. This will be the package source directory for the shared mini-applications.

  3. Go to a client workstation, log on to the network with an Administrative account, and connect to the new directories you just created.

  4. Perform an administrative install of the application. Specify the network connected directories as the destination directories for the application and MSAPPS, respectively.

  5. After installing the application onto the server, you must copy a special directory, called the SMSPROXY directory, from the SMS\PRIMSITE.SRV\IMPORT.SRC directory on the site server into the package source directory. There is an SMSPROXY directory for each application that has a PDF.

You are now ready to create the package itself. First, you learn how to create packages for both the application and MSAPPS that include Workstation and Sharing properties. Then you create a job to distribute these packages for sharing on network file servers. Finally, to complete the process, you create a Program Group and make it available to the Domain Users group.

To define a package for Microsoft Excel version 5.0a with properties for both workstations and sharing using a PDF, follow these steps:

  1. Start the SMS Administrator program.

  2. Open the Packages window. Choose File, New from the menu. The Package Properties dialog box appears.

  3. Click the Import button. The File Browser dialog box appears. Find and select the PDF for Microsoft Excel-EXC50A.PDF. Click OK to return to the Package Properties dialog box.

  4. Click Workstations. The Setup Properties for Workstations dialog box appears.

  5. Because you have imported a PDF, many of the entries in this dialog box will already be completed. You will, however, need to tell SMS where the package source directory you created for Excel following the instructions at the beginning of this section is located. Enter the location of the package source directory in the Source Directory text box.

  6. Click Close to return to the Package Properties dialog box.

  7. Click Sharing. The Setup Properties for Sharing dialog box appears.

  8. Enter the location of the package source directory for Excel in the Source Directory text box. This should be the same package source directory you used for workstation properties if you followed the directions at the beginning of this section.

  9. Click the Access button if you want to change the default permissions that will be granted to this network share. By default, Users and Guests are granted Read and Write access. The Share Access dialog box appears. Click the check boxes reflecting the permissions you want to assign. Click OK to close the Share Access dialog box.

  10. Click Close to return to the Package Properties dialog box.

  11. Click OK to close the Package Properties dialog box.

  12. Choose File, New from the menu. The Package Properties dialog box appears.

  13. Click the Import button. The File Browser dialog box appears. Find and select the PDF for the Microsoft mini-applications - MSAPPS PDF. Click OK to return to the Package Properties dialog box.

  14. Click Workstations. The Setup Properties for Workstations dialog box appears.

  15. Enter the location of the package source directory for MSAPPS in the Source Directory text box.

  16. Click Close to return to the Package Properties dialog box.

  17. Click Sharing. The Setup Properties for Sharing dialog box appears.

  18. Enter the location of the package source directory for MSAPPS in the Source Directory text box.

  19. Click the Access button if you want to change the default permissions that will be granted to this network share. These permissions should match those you just made for Microsoft Excel. Click OK to close the Share Access dialog box.

  20. Click Close to return to the Package Properties dialog box.

  21. Click OK to close the Package Properties dialog box.

You can now use this package to create two different kinds of jobs: Run Command on Workstation and Share Package on Server. The following example only shows you how to create a job to share this package on default distribution servers. (See the section "Run Command on Workstation Jobs" earlier in this chapter for information on creating the other type of job.) The example also demonstrates the capability of using drag-and-drop with a package icon to create a job. You drag a package from the Packages window and drop it on the site in which you want to share the package. This opens a job properties window with many of the boxes already properly completed for you. You have already learned how to create jobs using other methods in the section titled "Creating Jobs for Software Distribution and Installation."

To use drag-and-drop to create a Share on Server job with the Excel and MSAPPS packages you just defined, follow these steps:

  1. Open both the Packages and Sites windows. If necessary, choose Window, Tile Horizontally from the menu to arrange the windows so that both are visible.

  2. Click and hold down the left mouse button on the Excel package in the Packages window. Drag the package onto an appropriate target site in the Sites window and release the mouse button when the site is highlighted indicating that it has been selected as a target for the job. The Job Details dialog box appears.

  3. As with package definition, many of the boxes will already be properly completed. In the Send Phase box, select the Only if Not Previously Sent option button because this is the first time you are sending this package.

  4. In the Distribute Phase box, click the Put on Specified Distribution Servers check box and select Default Servers in the drop-down list box. Use the Refresh Existing Distribution Servers check box if you make a change to a package and need to update the decompressed version of the package on file servers.

  5. Click OK to return to the Job Properties dialog box. Click OK to close the Job Properties box. The job will be added to the SMS database, given a unique job ID, and is now available for execution when the schedule indicates. You can open this job at a later time and click the Status button to check on its progress.

Follow the same steps to create a job to distribute MSAPPS substituting the MSAPPS package for the Excel package. Then you will be ready to create a program group for Excel and MSAPPS. To do so, follow these steps:

  1. Open the Program Groups window. Choose File, New from the menu. The Program Group Properties dialog box appears.

  2. Enter Microsoft Excel in the Name text box. This name appears at the client workstation as the name of the program group in Program Manager on the client's Windows desktop.

  3. If you want, enter additional descriptive text for the program group in the Comments scrolling text box.

  4. Click the Packages button. The Program Group Packages dialog box appears.

  5. Select Excel in the Available Packages box. Click Add to add the package to the list of packages that are a member of this group. The packages will be added to the Member Packages list box.

  6. Select Excel in the Member Packages list box. Make sure that all check boxes are selected.

  7. Repeat steps 6 and 7 with MSAPPS. Click OK to return to the Program Group Properties dialog box.

  8. Click the User Groups button to define the groups of users that will be offered this program group. The User Groups dialog box appears.

  9. Select a user group that should be offered this program group and click Add button. The group's name will move to the Share With These Groups list box. Repeat until all the groups who should see this program group on their desktops have been added. Click OK to return to the Program Group Properties dialog box.

  10. Click OK to close the Program Group Properties dialog box. The site database will be updated, and the program group database will be distributed to the appropriate sites. At that time, users who belong to the designated groups and are running Program Group Control on their Windows desktops will have a program group created dynamically on their desktop for Microsoft Excel and the mini-applications.

Monitoring the Status of Jobs

On many occasions, it is appropriate to check the current status of a job. As noted earlier, it is especially important when you are preparing to cancel or delete a job. It can also be useful to help troubleshoot a job that is not yet visible at a particular site. To check the status of a job, follow this procedure:

  1. Start the SMS Administrator program.

  2. Open the Jobs window. A summary of all defined jobs and their current status appears (see fig. 27.16).

    Fig. 27.16 - The Jobs window displays a summary status of currently defined jobs.

  3. If you would like to see detailed status information for a job, select the job and choose File, Properties from the menu or simply double-click the job. The Job Properties dialog box appears. Click the Status button. The Job Status dialog box appears (see fig. 27.17).

    Fig. 27.17 - The Job Status dialog box provides detailed status information about a job.

  4. The job status is displayed for all sites selected as targets of the job. If you would like to see detailed status for a particular site, select the site and click the Details button. The Job Status Details dialog box appears (see fig. 27.18).

    Fig. 27.18 - The Job Status Details dialog box provides step-by-step detail on the processing of the job.

  5. This dialog box provides detailed information about the status of the job at this particular site. Click Refresh to update the information displayed if you want to leave the dialog box open and watch the job progress through various stages. Click Close to return to the Job Status dialog box. Click Close again to return to the Jobs window.

You should now have a good grasp of the fundamentals involved in defining packages and jobs and how they are used to automate the distribution and installation of software. These are powerful capabilities that can help you manage your network and save hours of time for your administrative staff. However, if these tools were maliciously misused, they could cause serious repercussions for the operation of your network. In the next section, you learn how to safeguard these tools and how to set permissions so that only authorized personnel can use them.

Using the SMS Security Manager

The SMS Security Manager allows you to set different access rights for various users. After these rights have been set, they will be able to use the SMS Administrator program to perform the actions for which they have been granted permissions. It is possible, therefore, to divide the different tasks that are required to administer an SMS system among several individuals and use the security features of SMS to prevent unauthorized use of the SMS Administrator program.

By default, users have no access rights to use the SMS Administrator program. SMS security is based on the security provided by SQL Server. By controlling who has access to the SMS database, and tables within that database, you can effectively control the capability to complete various SMS administrative functions. Microsoft SQL Server provides the capability to use different security models - standard, integrated, and mixed. The model you have selected for your SQL Server will impact the SQL Server login ID you use to run the SQL Administrator program.

See "Choosing a Security Model," (Ch. 18)

For a user to be able to use SMS Administrator for administrative tasks, a SQL Server login ID must be created for the user, and the user must be granted rights to use the site database. A simple approach for users who use SQL Server only for SMS databases is to assign the site database as their default database. You can create this login ID and set the user's default database to be the site database, using the SQL Enterprise Administrator program. After you have created a login ID and username for the user, you can use the SMS Security Manager to grant specific rights to that person.


SQL Server uses the terminology login ID rather than logon ID. It has the same meaning.

See "Creating Login IDs and Usernames," (Ch. 18)

To use the SMS Security Manager to grant rights to a specific user, follow this procedure:

  1. Start the SMS Security Manager. The SMS Security Manager Login dialog box appears (see fig. 27.19).

    Fig. 27.19 - The SMS Security Manager Login dialog box.

  2. Enter the name of the SQL Server being used at this site, the name of the database (usually SMS), a login ID, and password. To administer security for this site, you need a login ID with system administrator (sa) or database owner (dbo) privileges on the site database.


    If you are using Integrated security for your SQL Server, the Windows NT user ID is used, and the Login ID and Password boxes should be left blank.

  3. The drop-down list box will list all users that have been added to the site database. If the user you want to set privileges for does not appear, add the user's account to the site database using the SQL Enterprise Manager.

  4. Select the user whose access rights you want to set from the drop-down list box. If you have added the user since starting the SMS Security Manager, choose Security, Refresh from the menu to update the list box.

  5. Select the component for which you want to set rights. From the Security menu, select the setting you want - No Access, View Access, or Full Access. The Proposed Rights in the table should change to reflect your new choices.

  6. Choose Security, Save User to save the new settings you have made. The site database will be updated.

See "Understanding Object Ownership and Permissions," (Ch. 19)

Understanding Permissions

You can set three different access levels or permissions for a particular user on a given object. The permissions, and a brief explanation of the permission's implications, are as follows:

  • No Access. This permission grants a user no capability to view or modify the object in question. For example, if the user was granted No Access for Help Desk, he or she could not activate the Help Desk features in the SMS Administrator. No Access to Jobs would prevent the user from even opening the Jobs window. If you set No Access to Packages, the user cannot open the Packages window, or even access packages in job properties dialog boxes or when defining program groups.

  • View Access. The user can view the object, but cannot create objects of this type or modify existing objects. View access to Packages would allow the user to see and use packages when defining jobs (if the user had full access to jobs), but the user could not change the characteristics of the package in any way.

  • Full Access. The user can view, create, and modify objects of the type in question.


The various objects in the SMS database are highly interrelated. It is logical, therefore, that setting permissions on these objects would also impact the permissions required for other objects for your settings to operate properly. See table 4.1, "Security Object Access," in Chapter 4 of the
SMS Administrator's Guide for detailed information on object access permissions.

Understanding Administrative Roles

To simplify the process of setting rights for SMS administrators, several predefined roles have been created as templates. Appropriate rights to various objects have already been set, with care taken to observe the various object interactions. It may be a good idea to use these templates to set rights for your users.

Templates have been created for the following types of SMS administrative roles:

  • Asset Manager

  • Help Desk

  • Job Manager

  • Network Monitor

  • Software Manager

  • Tech Support

To use a template to assign rights to a user, follow these steps:

  1. Start the SMS Security Manager. The SMS Security Manager Login dialog box appears.

  2. Enter the name of the SQL Server being used at this site, the name of the database (usually SMS), a login ID, and password. To administer security for this site, you need a login ID with system administrator (sa) or database owner (dbo) privileges on the site database.

  3. Select the user whose access rights you want to set from the drop-down list box.

  4. Select Security, Use Template from the menu. The User Templates dialog box appears (see fig. 27.20). Choose the user template you want to copy for the selected user. The Proposed Rights in the table should change to reflect your new choices.

    Fig. 27.20 - The SMS Security Manager User Templates dialog box provides the capability to easily choose a predefined role for a user. This role can then be modified if further customization is necessary.

  5. Choose Security, Save User to save the new settings you have made. The site database will be updated.

With the techniques you have just learned, you will be able to keep unauthorized users from maliciously, or accidentally, using the tools and capabilities of SMS. In the next section, you learn about the capability to use SMS in an environment that includes the Remote Access Service (RAS). Special configuration requirements for SMS are provided. The Remote Access Service is described in detail in Chapter 7, "Implementing the Remote Access Service (RAS)."

Using Dial-Up Access to SMS

In a Windows NT Server environment offering RAS, you can connect to the network from a remote location using a modem and standard telephone lines. In general, you can access all network features although the speed of the line will have an impact on some capabilities. This section outlines the things you should be aware of when administering an SMS site that supports RAS access.

The primary thing that is impacted by the slower line speeds of a dial-up connection is the delivery of Run Command on Workstation packages. A check box on the Job Details dialog box for Run Command on Workstation jobs allows you to indicate that even mandatory jobs should not be forced over a slow link (refer to fig. 27.8). Before clearing this check box, and thereby forcing mandatory commands over slow links, you should conduct tests to determine the time it takes with a particular package and modem speed. Even relatively modest packages may take an inordinate amount of time to download over a modem and effectively render the network unusable to remote users. Because these users are often traveling, or working after hours from home, the ramifications of this selection should be carefully considered.

The Help Desk features, especially remote control, depend on a reasonably fast link between the computer running the SMS Administrator and the client workstation being remotely controlled. With high-speed modems and the compression offered by RAS, it is possible to perform relatively simple tasks via remote control. A few settings may need to be changed to make this possible. At the end of Appendix C in the SMS Administrator's Guide, "SMS System Flow," there is a short section titled "Making Remote Troubleshooting Connections," which outlines the files and settings that may need fine-tuning to perform remote control operations over a dial-up line. Because this has little or nothing to do with the system flow, it is almost always overlooked. Another section of the SMS Administrator's Guide you may find helpful is "Configuring Lana Numbers and Timeouts on the SMS Administrator Computer" in Chapter 15.

The Help Desk Remote Diagnostic Capabilities

SMS provides capabilities to aid in diagnosing problems that may occur on client workstations. These features allow you to connect to a client workstation from the SMS Administrator program and remotely control the client workstation. You will see the same display that the user is viewing and be able to use your keyboard and mouse to control the remote computer. In addition, you can conduct an interactive "chat" in a double-paned window with users who are not able to use a telephone. You can also reboot the computer remotely.

For these utilities to work, the computers running the SMS Administrator and the client workstation must be running the same transport protocol. The computer to be controlled must also be inventoried in an SMS site. In addition, the Remote Control feature must be enabled at the user workstation. This is a security safeguard to prevent unauthorized viewing of user's workstations. If a user does not want anyone to be able to remotely control his or her computer, the user can simply not enable this feature. If it is enabled by default, the user can run the Help Desk Options program as outlined later and deselect the remote control check box. The remote control features are only available for clients running Windows, Windows for Workgroups, and Windows 95. Support for Windows NT is contemplated for a later version.

On the client workstation, be sure that the appropriate remote control utility is loaded. If you selected remote control as a default client component they should already be loaded. These utilities are Terminate and Stay Resident (TSR) programs. Two TSRs can be used: USERTSR and USERIPX. USERTSR is used in conjunction with a transport that supports NetBIOS (NetBEUI or TCP/IP) and USERIPX is used with the IPX transport.

See "Default Client Component Settings," (Ch. 26)

Remote Control

To use the Remote Control feature, follow these steps:

  1. At the client workstation, start the Help Desk Options utility program. It can be found in the SMS Client program group. The Help Desk Options dialog box appears (see fig. 27.21).

    Fig. 27.21 - The Help Desk Options dialog box is used to configure the options that should be active on a client workstation.

  2. Click the check boxes desired to enable the features you want. For remote control, check Allow Remote Control. You can also select check boxes in the Local Options box to affect the behavior of remote control operations. If you would like an audible signal to sound whenever someone is controlling your workstation, for example, click the Audible Signal When Viewed check box.

  3. Click Save As Current.

  4. At the SMS Administrator console, open the Sites window. Open the site and domain containing the computer you want to control by double-clicking their names in the left pane of the Sites window. Find the computer you want to control and double-click the computer's name in the right pane of the Sites window. The Personal Computer Properties - computername window appears.

  5. Scroll down through the list of properties in the left pane of the window until you find the Help Desk icon. Click the Help Desk icon in the left pane, and then click the Remote Control button in the right pane. You will see the message "Attempting to locate computername" in a message box, and possibly the message "Trying Additional Protocols." When the computer is found, a viewer window is displayed (see fig. 27.22).

    Fig. 27.22 - This figure depicts a computer running Windows 95 being remotely controlled from a Windows NT Server computer with the Help Desk features of the SMS Administrator. The striped border outlines the remote desktop.

  6. You may now use your keyboard or mouse to remotely control the remote computer. When you are finished, close the viewer window and the connection will be broken.

Remote Chat

To use the interactive Remote Chat feature, follow these steps:

  1. If the client workstation doesn't allow Remote Chat by default, you must enable this feature. At the client workstation, start the Help Desk Options utility program. It can be found in the SMS Client program group. The Help Desk Options dialog box appears.

  2. Click the Allow Chat check box.

  3. Click Save As Current.

  4. At the SMS Administrator console, open the Sites window. Open the site and domain containing the computer you want to control by double-clicking their names in the left pane of the Sites window. Find the computer you want to control and double-click the computer's name in the right pane of the Sites window. The Personal Computer Properties - computername window appears.

  5. Scroll down through the list of properties in the left pane of the window until you find the Help Desk icon. Click the Help Desk icon in the left pane, and then click the Remote Chat button in the right pane. You will see the message "Attempting to locate computername" in a message box, and possibly the message "Trying Additional Protocols." When the computer is found, a double-paned chat window is displayed (see fig. 27.23).

    Fig. 27.23 - This figure depicts Remote Chat windows with an interactive discussion taking place.

  6. Whatever you type in your half of the Chat window will be displayed in the Chat window at the remote computer and vice versa. When you are finished, close the Chat window, and the connection will be broken.

Remote Reboot

To use the Remote Reboot feature, follow these steps:

  1. If the client workstation doesn't allow remote reboot by default, you must enable this feature. At the client workstation, start the Help Desk Options utility program. It can be found in the SMS Client program group. The Help Desk Options dialog box appears.

  2. Click the Allow Remote Reboot check box.

  3. Click Save As Current.

  4. At the SMS Administrator console, open the Sites window. Open the site and domain containing the computer you want to control by double-clicking their names in the left pane of the Sites window. Find the computer you want to control and double-click the computer's name in the right pane of the sites window. The Personal Computer Properties - computername window appears.

  5. Scroll down through the list of properties in the left pane of the window until you find the Help Desk icon. Click the Help Desk icon in the left pane, and then click the Remote Reboot button in the right pane. You will see the message "Attempting to locate computername" in a message box, and possibly the message "Trying Additional Protocols." When the computer is found, you will see the message "Rebooting Remote Computer."

Using the Network Monitor

Every network administrator will eventually encounter a situation in which something is not working and yet everything seems to be properly configured. When you have checked all the settings on your servers and clients and things still aren't working, you may want to "see" what is happening "on the wire." That is, you may want to capture and observe the contents of all the network traffic between two or more computers to analyze exactly what is taking place. The Network Monitor utility included with SMS allows you to perform this task. It is similar in many ways to other products that perform protocol analysis of LAN/WAN traffic, although the exact feature sets for these products vary.

In addition to troubleshooting functions, the Network Monitor allows you to benchmark your network by recording the values of certain indicators of LAN usage at regular intervals. When you install the Network Monitor, additional objects and counters become available in the Performance Monitor utility included with Windows NT Server and Windows NT Workstation. Although detailed coverage of this utility is beyond the scope of this book, the simple examples presented in this section introduce you to this powerful tool and familiarize you with its capabilities.

Protocol Analysis

To capture and view network traffic with the Network Monitor, follow these steps:

  1. Start the Network Monitor. The Capture Window appears in the Network Monitor window (see fig. 27.24).

    Fig. 27.24 - The Network Monitor display is shown in this figure with the Capture window open and active.

  2. Choose Capture, Start from the menu. After a brief pause, you will see all the displays in the Capture window being updated to reflect the information that is being captured.

  3. When you are ready to view the traffic that you have captured, choose Capture, Stop and View from the menu. The Frame Viewer window appears (see fig. 27.25). You can highlight individual frames to see detailed information about the contents of those frames.

Fig. 27.25 - This figure depicts the Network Monitor with the Frame Viewer window open.

Performance Monitor

To use the Network Monitor objects and counters in the Performance Monitor, follow these steps:

  1. Start the Performance Monitor.

  2. Choose Edit, Add To Chart. Select a computer that you would like to monitor. This may be the computer you are currently using, or any other computer running Windows NT Server or Windows NT Workstation for which you have appropriate access rights.

  3. In the Object drop-down list box, select one of the Network Monitor objects. For example, you might select Network Segment.

  4. Select one or more of the counters available. For example, you might select Broadcast Frames Received Per Second and Total Bytes Received Per Second.

  5. Click OK to view the Chart.

Using Alerts to Monitor SMS

SMS administrators can use the Alerts feature of SMS to automatically detect certain conditions that may be of interest or indicate a potential problem. The conditions are detected using a query, and when those conditions are met, certain actions can be automatically triggered. When an alert's trigger condition is met, one or more of the following actions can be launched:

  • Execute a command.

  • Send a message to a user or a specific computer.

  • Enter an event in the SMS event log.

To create an alert, follow these steps:

  1. Create a query upon whose results the alert will be triggered.

  2. Open the Alerts window. Choose File, New from the menu. The Alert Properties dialog box appears (see fig. 27.26).

    Fig. 27.26 - The Alert Properties dialog box is used to define an alert. You can use the buttons provided to select the query that will trigger the alert and the actions that should be taken.

  3. Enter a name for the alert in the Name text box. Enter a comment describing the alert in the Comment text box. Click Query. The Alert Query dialog box appears (see fig. 27.27).

    Fig. 27.27 - The Alert Query dialog box provides the opportunity to select a query, set how often it is run, select the sites to which it is applied, and the "hit count" that will trigger the alert.

  4. Select the query you want to use in the Query drop-down list box. If you want to use this alert to monitor only specific sites, select the Limit to Sites check box and choose the site from the drop-down list box. If you want to include subsites, click the check box.

  5. Enter an interval for the query to be run on. The default interval is to run the query every 120 minutes.

  6. Make a selection from the Generate Alert when Hit Count from Query drop-down list box. Enter a number of hits that corresponds to this selection. These two items define the triggering condition for the alert. Click OK to return to the Alert Properties dialog box.

  7. Click Actions. The Alert Actions dialog box appears (see fig. 27.28).

    Fig. 27.28 - The Alert Actions dialog box is used to define the actions that should be taken when the alert is triggered.

  8. Fill out the dialog box to indicate the action that should be taken if an alert is triggered. Click OK to return to the Alert Properties dialog box.

  9. Click OK to close the Alert Properties dialog box and activate the new alert.

From Here...

In this chapter, you broadened your knowledge of SMS. You learned how to define packages and how to create jobs to activate those packages and begin the process of software distribution and installation. You learned how to use PDF files to simplify the process of using SMS with Microsoft applications. You also discovered how to control the use of SMS by using the SMS Security Manager. In addition, you explored the remote control capabilities provided by SMS and received an introduction to the Network Monitor, a protocol analysis utility included with SMS.


Table of Contents

26 - Implementing SMS

28 - Implementing Real-World Security