Solved

SCCM service account minimum privilege ?

Posted on 2016-08-30
8
351 Views
Last Modified: 2016-08-31
Hi People,

Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.

This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.

So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?

My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 500 total points
ID: 41777574
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.

https://technet.microsoft.com/en-us/library/hh427337.aspx

oh. And this is the only one that has to be a domain admin.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41777592
Hi Ben,

OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.

But what about the PRODSCCM01-VM AD computer account ?
0
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41777602
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

You have A Computer Account (your SCCM Server) in domain admin group?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41777605
You have A Computer Account (your SCCM Server) in domain admin group?
As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites

yes I do, so can I remove it safely ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777622
I can only say that our server computer account is not a member of domain admin group.

You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
1
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41777630
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41777637
Just Client Push Install Account.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41778999
Thanks Ben !
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question