Solved

SCCM service account minimum privilege ?

Posted on 2016-08-30
8
123 Views
Last Modified: 2016-08-31
Hi People,

Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.

This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.

So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?

My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.

Thanks in advance.
0
Comment
  • 4
  • 4
8 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 500 total points
ID: 41777574
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.

https://technet.microsoft.com/en-us/library/hh427337.aspx

oh. And this is the only one that has to be a domain admin.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41777592
Hi Ben,

OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.

But what about the PRODSCCM01-VM AD computer account ?
0
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41777602
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

You have A Computer Account (your SCCM Server) in domain admin group?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41777605
You have A Computer Account (your SCCM Server) in domain admin group?
As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites

yes I do, so can I remove it safely ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777622
I can only say that our server computer account is not a member of domain admin group.

You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41777630
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777637
Just Client Push Install Account.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 41778999
Thanks Ben !
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question