Solved

SCCM service account minimum privilege ?

Posted on 2016-08-30
8
196 Views
Last Modified: 2016-08-31
Hi People,

Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.

This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.

So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?

My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 500 total points
ID: 41777574
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.

https://technet.microsoft.com/en-us/library/hh427337.aspx

oh. And this is the only one that has to be a domain admin.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41777592
Hi Ben,

OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.

But what about the PRODSCCM01-VM AD computer account ?
0
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41777602
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

You have A Computer Account (your SCCM Server) in domain admin group?
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41777605
You have A Computer Account (your SCCM Server) in domain admin group?
As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites

yes I do, so can I remove it safely ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777622
I can only say that our server computer account is not a member of domain admin group.

You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41777630
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777637
Just Client Push Install Account.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 41778999
Thanks Ben !
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question