Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!
Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!
Act now. This offer ends July 14, 2017.
Course Of The Month
8 days, 1 hour left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
SCCM service account minimum privilege ?
Posted on 2016-08-30
Hi People,
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
4
8 Comments
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.
https://technet.microsoft.com/en-us/library/hh427337.aspx
oh. And this is the only one that has to be a domain admin.
https://technet.microsoft.com/en-us/library/hh427337.aspx
oh. And this is the only one that has to be a domain admin.
Active today
Hi Ben,
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
Active today
You have A Computer Account (your SCCM Server) in domain admin group?As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites
yes I do, so can I remove it safely ?
I can only say that our server computer account is not a member of domain admin group.
You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
Active today
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
Featured Post
With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Attackers love to prey on accounts that have privileges.
Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month8 days, 1 hour left to enroll
728 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.