Solved

SCCM service account minimum privilege ?

Posted on 2016-08-30
8
288 Views
Last Modified: 2016-08-31
Hi People,

Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.

This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.

So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?

My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 500 total points
ID: 41777574
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.

https://technet.microsoft.com/en-us/library/hh427337.aspx

oh. And this is the only one that has to be a domain admin.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41777592
Hi Ben,

OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.

But what about the PRODSCCM01-VM AD computer account ?
0
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41777602
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

You have A Computer Account (your SCCM Server) in domain admin group?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41777605
You have A Computer Account (your SCCM Server) in domain admin group?
As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites

yes I do, so can I remove it safely ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777622
I can only say that our server computer account is not a member of domain admin group.

You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
1
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41777630
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777637
Just Client Push Install Account.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41778999
Thanks Ben !
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question