If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.
SCCM service account minimum privilege ?
Hi People,
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
Asked:
4-
4
2 Solutions
Hi Ben,
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
You have A Computer Account (your SCCM Server) in domain admin group?As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites
yes I do, so can I remove it safely ?
I can only say that our server computer account is not a member of domain admin group.
You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
https://technet.microsoft.com/en-us/library/hh427337.aspx
oh. And this is the only one that has to be a domain admin.