Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 552
  • Last Modified:

SCCM service account minimum privilege ?

Hi People,

Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.

This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.

So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?

My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.

Thanks in advance.
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 4
  • 4
2 Solutions
 
Benjamin VoglarIT ProCommented:
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.

https://technet.microsoft.com/en-us/library/hh427337.aspx

oh. And this is the only one that has to be a domain admin.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Ben,

OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.

But what about the PRODSCCM01-VM AD computer account ?
0
 
Benjamin VoglarIT ProCommented:
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

You have A Computer Account (your SCCM Server) in domain admin group?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Senior IT System EngineerIT ProfessionalAuthor Commented:
You have A Computer Account (your SCCM Server) in domain admin group?
As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites

yes I do, so can I remove it safely ?
0
 
Benjamin VoglarIT ProCommented:
I can only say that our server computer account is not a member of domain admin group.

You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
0
 
Benjamin VoglarIT ProCommented:
Just Client Push Install Account.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Ben !
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now