<div>
Hi Ben,<br />
<br />
OK,if that's the case I can then put the <b>DOMAIN\SCCM-PUSH-SVC</b> as the Local Administrators on all Workstations only.<br />
<br />
But what about the <b>PRODSCCM01-VM</b> AD computer account ?
</div>


<div>
<blockquote>
You have A Computer Account (your SCCM Server) in domain admin group?
</blockquote>
As per: <a href="https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites" rel="ugc">https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites</a><br />
<br />
yes I do, so can I remove it safely ?
</div>


<div>
I can only say that our server computer account is not a member of domain admin group.<br />
<br />
You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
</div>


<div>
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
</div>


<div>
Just Client Push Install Account.
</div>


<div>
<div class="content wysiwyg-content">
Hi People,<br />
<br />
Due to the PCI requirement, I am forced to minimized the members of <b>Domain Admins</b> group. <br />
<br />
This is including:<br />
The <b>SCCM client push install</b> service account <b>DOMAIN\SCCM-PUSH-SVC</b><br />
The <b>SCCM 2012 R2 Standard (Site Server)</b> AD computer account itself <b>PRODSCCM01-VM</b>.<br />
<br />
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?<br />
Can I remove the AD computer account from the <b>Domain Admins</b> group ?<br />
<br />
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.<br />
<br />
Thanks in advance.
</div>
</div>


Hi People,

Due to the PCI requirement, I am forced to minimized the members of Domain Admins group. 

This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.

So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?

My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.

Thanks in advance.

SCCM service account minimum privilege ?

Systems Center Configuration Manager (SCCM, formerly known as Systems Management Server) is Microsoft’s system software for managing large groups of not only Microsoft computers, but those running other operating systems, such as Linux, OS-X, and various mobile technologies.

SCCM

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

Microsoft server applications are those applications developed specifically, but not necessarily exclusively, on the Windows Server platform. In addition to well-known products like SQL Server, Exchange, Internet Information Services (IIS), Microsoft Dynamics, Forefront, Lync and Sharepoint, they include applications like Skype, BizTalk, Hyper-V, Groove and Commerce Server. Server applications are managed with the Microsoft System Center.

Microsoft Server Apps

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.