Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SCCM deployment security best practice for Domain Admins group ?

Posted on 2016-08-04
2
Medium Priority
?
150 Views
Last Modified: 2016-08-25
People,

Due to PCI requirement, the membership of the builtin domain admins must be secured, but somehow I noticed there are two things related to SCCM 2012 R2 which O do not know how to do.

PRODSCCM01-VM --> The SCCM central server
SCCM-Push --> SCCM client push install service account

How do I remove it from the domain admins membership but still maintain SCCM functionality ?
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 18

Accepted Solution

by:
Mike T earned 2000 total points (awarded by participants)
ID: 41745021
Hi,

Neither of those accounts need domain admin at all and they never needed it in the first place.

For any CM server to work, the server name itself needs to be a member of local admins group. So you add YOURSITESERVER$.

As for client push it's very similar - it needs to the following permissions:

The following Permissions are needed to perform a Client Push Installation:

Collection
Read
Modify Resource
Site
Read

Ref: https://blogs.technet.microsoft.com/jchalfant/minimum-permissions-needed-to-perform-client-push-in-configuration-manager-2012/

Mike
0
 
LVL 18

Expert Comment

by:Mike T
ID: 41769951
No ConfigMgr accounts need domain admin permissions.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question