First published on TECHNET on Nov 14, 2011
Authored by Clifton Hughes
This document covers the processes and considerations for managing clients in another un-trusted domain, as if they were in a workgroup, and/or to manage actual Workgroup Clients. In this documentation, Workgroup Clients is the term that is used, however, be aware that through these same processes and procedures, clients in an un-trusted domain can be managed in the same way, and with the same limitations as actual Workgroup Clients. Note below, that if you do not have one already installed in your environment, you will need the Server Locator Point (SLP) role if you decide to pursue this process.
Table of Contents
This requirements information below was taken from the following link:
Configuration Manager 2007 General Supported Configurations:
Requirements for Workgroup Clients
To support workgroup clients, the following requirements must be met:
During client installation, the logged-on user must possess local administrator rights on the workgroup system. The only account that Configuration Manager 2007 can use to perform activities that require local administrator rights is the account of the user that is logged on to the computer.
The Configuration Manager client must be installed from a local source on each client computer. This requirement ensures that a local source for repair and client update application is available for the client.
Workgroup clients must be able to locate a server locator point for site assignment because they cannot query Active Directory Domain Services (AD DS). The server locator point can be manually published in Windows Internet Name Service (WINS), or it can be specified in the CCMSetup.exe installation command-line parameters.
Workgroup clients must use the Network Access Account to access package source files on distribution points. If a Network Access Account is not configured, clients cannot access content on the distribution point. For more information, see Example Package Access Scenarios:
Limitations of Workgroup Clients
Although workgroup computers can be Configuration Manager 2007 clients, there are inherent limitations in supporting workgroup computers, including the following:
Workgroup clients cannot locate their default management point from Active Directory Domain Services, and instead must use DNS, WINS, or a server locator point. We recommend DNS for workgroup clients. For more information, see Configuration Manager and Service Location (Site Information and Management Points):
Active Directory system, user, or user group discovery is not possible.
User-targeted advertisements are not possible.
The client push installation method is not supported for workgroup client installation. For more information about installing the Configuration Manager client on workgroup computers, see How to Install Configuration Manager Clients on Workgroup Computers:
Global roaming is not possible. For more information about client roaming capabilities and behavior, see About Client Roaming in Configuration Manager:
Using a workgroup client as a branch distribution point is not supported. Configuration Manager 2007 requires that all site systems, including branch distribution point computers, are members of an Active Directory domain.
The out of band management feature is not supported for workgroup computers. For more information about out of band management, see Out of Band Management in Configuration Manager 2007 SP1 and Later:
You will need to have a local admin account on the clients to be able to manually install the ConfigMgr 2007 Client or otherwise script an install process on these clients. Manually installing with at least the SMSSLP=SMSSLPServerName command line switch, and name resolution in place to be able to resolve both the NetBIOS Name and FQDN of the servers/roles that you need to be able for the clients to access.
It most configurations I have seen, you should make sure the clients can resolve the NETBIOS and FQDN of the following server roles:
By having both DNS and/or WINS name resolution implemented, it can simplify this process somewhat, because then all the needed information can be supplied in the cmmsetup command line, otherwise, you can use the SMSSLP= switch, and the rest can be provided through the SLP/MP, as long as the client gets there, then the rest will just depend on resolving the server names provided.
Server Locator Point:
For Site Assignment and MP location
Management Point and Proxy Management Point if clients will be in a Secondary Site boundaries, communicating with a Proxy MP:
For policies, and DP location, as well as sending client data back to the site, such as inventory and state/status messages.
Software Update Point:
For Software Updates Scanning.
For downloading packages, including Software Update Deployments, and Software Distribution)
These are the basic roles needed to support the features you mentioned, Software Updates, and Hardware and Software Inventory.
This Blog post contains the steps for modifying the clients LMHosts file, if WINS server is not available:
Once you have the name resolution piece in place, the workgroup client install method would be as simple as
CCMSetup.exe /mp:SMSMP01 SMSSITECODE=ABC SMSSLP=SLPServerName SMSMP=SMSMP01
Where the /mp:SMSMP01 switch is the server where the client will download the setup files, ABC is the site code to be used, SMSSLP=SLPServername is the Server Locator Point to be used, and SMSMP=SMSMP01 is the management that the client should report up to.
How to Configure Configuration Manager Clients to Find their Management Point using DNS Publishing:
How to Install Configuration Manager Clients on Workgroup Computers:
How to Install Configuration Manager Clients Manually: