I have to create different scopes to define who can see which alerts. For example, I want the SMS admins to ONLY see alerts for SMS when they open the Operator Console. Same thing for AD, Exchange and others. I have read Chapter 3 and others of the MOM Operation Guide and they are not very specific. I found this article and was wondering if this is correct for my desired application. If this is true for what I want, everything I read comes back stating that I need to have the operator or notification group assigned to the computer group. When I look at the custom computer group I made with all the SMS groups underneath it, the consoles tab is gray and I can’t change it. I have looked everywhere and can’t figure it out or find the exact docs…. Can someone help? what am I missing guys!

Here is the article… link and the appropriate text below. http://www.momresources.org/momarticles/provisioningmom.shtml

Provisioning Access to Branch Office Admins or Application Owners

MOM Console Scopes are used to create custom views, limiting which Computer Groups can be viewed by the person using the scope. Console Scopes are often used for creating limited views for application owners (such as a view of SQL Servers for DBAs) and branch office administrators.  

For quite some time, the only way to provision access to the MOM Console Scope was to add users to the Scope in the MOM Administrator Console. Moreover, groups could not be used - users had to be added on a per-user basis. This makes more work for the MOM administrator, and requires an extra link in the provisioning chain when bringing new administrators on board.

This changed with the release of the MOM Resource Kit SP1 refresh, which included a new utility called the Console Scope Utility. This tool can be used to synchronize Active Directory group members with MOM 2005 console scope members. This now gives us the ability to create Global Security Groups in Active Directory, and then synchronize the membership of these groups with a Console Scope in MOM, . By using this utility in a batch file on a scheduled basis, we can eliminate the need to open the MOM Administrator Console to provision Console Scope access.

To integrate assignment of Console Scope:

We’ll use an example here. We’ll perform the configuration required to integrate process of granting branch office administrators access to MOM into Active Directory. Let’s assume I’ve created a Console Scope called ‘Branch Office Admins’, and I want to allow granting of MOM privileges to every user with membership in a group in Active Directory. Setup to make this happen is as follows:

1. Create Console Scope ‘Branch Office Admins’ – In the MOM Administrator Console, create a Console Scope called ‘Branch Office Admins’. Select the desired Computer Groups you wish to be visible to branch office administrators. Do not add any users to this Console Scope.
2. Create global security group ‘Branch Office Administrators’ – In Active Directory Users & Computers, create a Global Security Group called ‘Branch Office Administrators’. The global group need not be in the local domain. The utility can be used to synchronize security groups from trusted domains as well.
3. Add branch office administrators to the newly created group. Use AD Users & Computers to grant membership to all branch office administrators you wish to assign to the Branch Office Admins Console Scope.
4. Add ‘Branch Office Administrators’ global security group to ‘MOM Users’ global security group (if not already added). Membership in MOM Users is required to allow branch administrators to connect to the MOM Servers remotely with MOM Consoles. Nesting groups created for provisioning access via custom console scopes simply eliminates an extra step, allowing 1 step provisioning for new administrators.
5. Configure the Console Scope Batch Job – On a MOM Management Server, create the following batch job.

SYNTAX:

CSUtil.exe Synchronize "MyCustomConsoleScope" "MYDOMAIN\ConsoleScopeGroup”

      EXAMPLE:

CSUtil.exe Synchronize "Branch Office Admins" "MYDOMAIN\Branch Office Administrators"

       IMPORTANT:

1. Schedule the Console Scope Batch Job – On a MOM Management Server, schedule the batch job to run on an interval of your choosing. This may be once an hour or once a day, depending on how quickly you’d like the changes to the global security groups to be reflected in Console Scope assignment.
2. Perform Initial Group to Console Scope Synchronization - Run the batch file containing the Console Scope Utility has been run at least one time to synchronize the AD security group to the console scope. Then login as a user assigned to the Branch Office Administrators group and launch the MOM Operator Console. Your view should then be restricted to groups defined in the Console Scope.

Granting Access to Console Scopes Going Forward:

1. Simply add the target user to the ‘Branch Office Administrators’ or other appropriate global security group in Active Directory associated with a MOM Console Scope.
2. Install the MOM User Interfaces (MOM CD – custom install) on the workstation of the target administrator.