Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 257
  • Last Modified:

SCCM deployment security best practice for Domain Admins group ?

People,

Due to PCI requirement, the membership of the builtin domain admins must be secured, but somehow I noticed there are two things related to SCCM 2012 R2 which O do not know how to do.

PRODSCCM01-VM --> The SCCM central server
SCCM-Push --> SCCM client push install service account

How do I remove it from the domain admins membership but still maintain SCCM functionality ?
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 2
1 Solution
 
Mike TLeading EngineerCommented:
Hi,

Neither of those accounts need domain admin at all and they never needed it in the first place.

For any CM server to work, the server name itself needs to be a member of local admins group. So you add YOURSITESERVER$.

As for client push it's very similar - it needs to the following permissions:

The following Permissions are needed to perform a Client Push Installation:

Collection
Read
Modify Resource
Site
Read

Ref: https://blogs.technet.microsoft.com/jchalfant/minimum-permissions-needed-to-perform-client-push-in-configuration-manager-2012/

Mike
0
 
Mike TLeading EngineerCommented:
No ConfigMgr accounts need domain admin permissions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now