What needs to be done if you don't want the local Administrators group to have full access in ITCM?
search cancel

What needs to be done if you don't want the local Administrators group to have full access in ITCM?


Article ID: 48834


Updated On:


CA Client Automation CA Client Automation - IT Client Manager


By default, the local Administrators group is mapped to a security profile winnt://<hostname of domain manager>/administrators with all class permissions set to Full Control.

Often this is undesired. Domain/Local Admins are not necessarily the same people who administer the ITCM environment.

What needs to be done to revoke the permissions from the local Administrators group and grant these permissions to one or more Active Directory groups/OUs?



Client Automation - All versions


Granting Full Control Permission to a group

  1. Firstly, make sure that at least one individual/group has Full Control on all classes before revoking the permissions of the Administrators group.
    This will ensure that you don't lock yourself out and are still able to access the system to modify/reset permissions if things don't work out as expected.
  2. Then create a local computer group and add the users who need to be given full control permissions to this group (i.e., add the required AD groups or local groups/users to the local group). For the purpose of this example let us call the group 'ITCM Admins'.
  3. Also, NT AUTHORITY\SYSTEM needs to be added to this group. It maps to the Local System Account that the CAF service and all of its components are running with, by default.
  4. Next map the group 'ITCM Admins' to security profiles in DSM Explorer and change the default rights to FULL CONTROL for everything in the list (Use 'Ctrl+A' to select all the objects).
  5. Once this is done, close and re-open the DSM Explorer. Now, the ITCM Admins group will have full control permissions on ITCM

Revoking Full Control Permissions for the Administrators group

  1. Go to Security Profiles and edit the permissions on the builtin/administrators profile.

    Note: DO NOT restrict the Administrators group to no access or similar as it will cause errors. Retain full control permissions on the 'Domain', 'Domain Group' and 'Manager' objects and Read (VR) at a minimum on the remaining objects. This will let Administrators see everything but do nothing.

    *****Important Note: You might want to consider letting Administrators keep Full Control rights on the 'Security Profile' object, which may help as a back door, should anyone accidentally deletes your local group. The Administrators will then at least, be able to set some other profile as an admin if needed in an emergency.