• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

SCCM deployment security best practice for Domain Admins group ?

People,

Due to PCI requirement, the membership of the builtin domain admins must be secured, but somehow I noticed there are two things related to SCCM 2012 R2 which O do not know how to do.

PRODSCCM01-VM --> The SCCM central server
SCCM-Push --> SCCM client push install service account

How do I remove it from the domain admins membership but still maintain SCCM functionality ?
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 2
1 Solution
 
Mike TLeading EngineerCommented:
Hi,

Neither of those accounts need domain admin at all and they never needed it in the first place.

For any CM server to work, the server name itself needs to be a member of local admins group. So you add YOURSITESERVER$.

As for client push it's very similar - it needs to the following permissions:

The following Permissions are needed to perform a Client Push Installation:

Collection
Read
Modify Resource
Site
Read

Ref: https://blogs.technet.microsoft.com/jchalfant/minimum-permissions-needed-to-perform-client-push-in-configuration-manager-2012/

Mike
0
 
Mike TLeading EngineerCommented:
No ConfigMgr accounts need domain admin permissions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now