• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

SCCM deployment security best practice for Domain Admins group ?

People,

Due to PCI requirement, the membership of the builtin domain admins must be secured, but somehow I noticed there are two things related to SCCM 2012 R2 which O do not know how to do.

PRODSCCM01-VM --> The SCCM central server
SCCM-Push --> SCCM client push install service account

How do I remove it from the domain admins membership but still maintain SCCM functionality ?
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 2
1 Solution
 
Mike TLeading EngineerCommented:
Hi,

Neither of those accounts need domain admin at all and they never needed it in the first place.

For any CM server to work, the server name itself needs to be a member of local admins group. So you add YOURSITESERVER$.

As for client push it's very similar - it needs to the following permissions:

The following Permissions are needed to perform a Client Push Installation:

Collection
Read
Modify Resource
Site
Read

Ref: https://blogs.technet.microsoft.com/jchalfant/minimum-permissions-needed-to-perform-client-push-in-configuration-manager-2012/

Mike
0
 
Mike TLeading EngineerCommented:
No ConfigMgr accounts need domain admin permissions.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now