There are two schools of thought about the best way to create a System Management container. The first school of thought recommends that the Active Directory (AD) Administrator produces the System Management container and then permissions are applied to it. However, it is the second school of thought which I prefer. In this option, the AD Administrator allows the Configuration Manager (CM) site server to generate the System Management container itself. Then, the Admin adjusts the permissions to its final state.
This second method is a two-step process.
Step 1 – Apply permissions to the System container, and then the CM site server creates the System Management container.
Step 2 – Remove the permissions on the System container and apply the permissions to the System Management container.
I prefer this two-step method. Why? It ensures that Configuration Manager creates exactly what it wants, regardless of language settings, etc. And, it also helps to prevent typos.
In the end it doesn’t matter which process you use, as long as the container is created in the appropriate location. Check out my blog post tomorrow on How to Set AD Security Rights for the System Management Container and next week’s post about How to Manually Create a System Management Container for ConfigMgr.
If you have any questions about System Management containers, please contact me @GarthMJ, or leave a note in the comment section below.