One of our Domain Admins and I came up with this procedure in our lab for assigning permissions to the attributes created by the SMS Schema Extensions. The idea was to get around assigning the SMS Service Account Full Control of the System Management Container. Once I added my first Secondary Site, the Domain Admin helping me tried to create a group with the Service Accounts (using the Site Server Account “servername$) but that didn’t seem to work. So, he inevitably had to assign the rights specifically to the attributes each Computer Account. I hope you find this information usefull.
Using ADSIEDIT, create the “System Management” container in the System container.
Right click on the System Management container and select properties.
Click the Security tab to add the computer account of the SMS primary site server (in the production environment it is expected to be SiteServerName).
Assign permissions by selecting Read and Write, then click the advanced button to add the remaining permissions.
Select the computer account
View/Edit
Click the Object tab
Select “Apply onto this object and all child objects”
Select “Create mSSMSMangement Point Objects”
Select “Delete mSSMSMangement Point Objects”
Select “Create mSSMSRoamingBoundaryRange Object”
Select “Delete mSSMSRoamingBoundaryRange Object”
Select “Create mSSMSServerLocatorPoint Object”
Select “Delete mSSMSServerLocatorPoint Object”
Select “Create mSSMSSite Objects”
Select “Delete mSSMSSite Objects”
Click OK
Uncheck “Allow inheritable permissions from parent to propagate to this object”
Click Copy
Remove others permission as necessary to leave only the desired permissions for:
Enterprise Admins
Administrators
Domain Admins
The computer account you added
SYSTEM
Authenticated Users
Click Apply
Click OK
The process of assigning permissions is completed.