SCCM service account minimum privilege ?
Hi People,
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.
https://technet.microsoft.com/en-us/library/hh427337.aspx
oh. And this is the only one that has to be a domain admin.
https://technet.microsoft.com/en-us/library/hh427337.aspx
oh. And this is the only one that has to be a domain admin.
Hi Ben,
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
You have A Computer Account (your SCCM Server) in domain admin group?As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites
yes I do, so can I remove it safely ?
Premium Content
You need an Expert Office subscription to comment.Start Free Trial