Solved

SCCM deployment security best practice for Domain Admins group ?

Posted on 2016-08-04
2
62 Views
Last Modified: 2016-08-25
People,

Due to PCI requirement, the membership of the builtin domain admins must be secured, but somehow I noticed there are two things related to SCCM 2012 R2 which O do not know how to do.

PRODSCCM01-VM --> The SCCM central server
SCCM-Push --> SCCM client push install service account

How do I remove it from the domain admins membership but still maintain SCCM functionality ?
0
Comment
  • 2
2 Comments
 
LVL 17

Accepted Solution

by:
Mike T earned 500 total points (awarded by participants)
ID: 41745021
Hi,

Neither of those accounts need domain admin at all and they never needed it in the first place.

For any CM server to work, the server name itself needs to be a member of local admins group. So you add YOURSITESERVER$.

As for client push it's very similar - it needs to the following permissions:

The following Permissions are needed to perform a Client Push Installation:

Collection
Read
Modify Resource
Site
Read

Ref: https://blogs.technet.microsoft.com/jchalfant/minimum-permissions-needed-to-perform-client-push-in-configuration-manager-2012/

Mike
0
 
LVL 17

Expert Comment

by:Mike T
ID: 41769951
No ConfigMgr accounts need domain admin permissions.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

An article on effective troubleshooting
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question