In the past, the Package Control Manager (PCM) has been installed as a service on SMS logon servers, but only as an application on SMS clients. Because the client version runs as an application, it has only the privileges assigned to the user account from which the application is run.
PCM can now be installed as a service on any Windows NT workstation or Windows NT stand-alone server (x86 or Alpha) that is a member of a Windows NT domain and is an SMS 1.2 client. The executable file for the new PCM service is PCMSVC32.EXE. In addition to the new PCMSVC32.EXE file, the executable file for the PCM application (PCMWIN32.EXE) has been changed and will need to be replaced on the client computers.
These two files are included with the PCM service deliverable. A copy of RSERVICE.exe is also included, since it is used to install the PCM service. All three executables will also be available in SMS Service Pack 2, along with other enhancements and bug fixes.
The PCM service requires a user account that has the following privileges:
Because it works through a user account with administrative privileges, the PCM service can perform tasks that the PCM application cannot. For example, it can install files into secured directories or make changes to secured registry keys.
However, the existence of the privileged account used by the PCM service introduces a security risk that administrators must consider carefully before installing the PCM service. The privileged account must either be a member of the Domain Users global user group, and be assigned to the administrator local group on each computer to be administered, or it must be made a member of the Domain Admins global group for the domain.
This can open up a potential security risk in your network. If users on any of these workstations were able to replace the PCMSVC32.EXE file with their own service applications, they would then be able to run any application they wanted in a domain admin security context. For example, if a Domain Admin account were used, the substituted application could grant a user's regular user account full Domain Admin privileges. The user would then have not only administrative access to all domain resources, but also administrative access to all workstations. To maintain security, the directory containing PCMSVC32.EXE must be carefully protected, and users must not have admin access to their machine.
Note If several automated background jobs are set for same mandatory time, the PCM service will create an instruction (INS) file entry for only one of those jobs, so only that job will be run. To ensure that an INS file entry is made for each job, so that they all are run, assign different mandatory times for the jobs.