Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
SCCM service account minimum privilege ?
Posted on 2016-08-30
Hi People,
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
Due to the PCI requirement, I am forced to minimized the members of Domain Admins group.
This is including:
The SCCM client push install service account DOMAIN\SCCM-PUSH-SVC
The SCCM 2012 R2 Standard (Site Server) AD computer account itself PRODSCCM01-VM.
So I wonder what's the minimum service account that is recommended with bare minimum without breaking SCCM functionality ?
Can I remove the AD computer account from the Domain Admins group ?
My SCCM version is 2012 R2 or the vNext edition which I only use for Workstation only not the servers.
Thanks in advance.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
4
8 Comments
Active 7 days ago
SCCM Client push Install Account must be a local admin on computers. That means if you are pushing on domain controlers also, the account must be a member of Domain Admin group.
https://technet.microsoft.com/en-us/library/hh427337.aspx
oh. And this is the only one that has to be a domain admin.
https://technet.microsoft.com/en-us/library/hh427337.aspx
oh. And this is the only one that has to be a domain admin.
Active today
Hi Ben,
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only.
But what about the PRODSCCM01-VM AD computer account ?
Active 7 days ago
OK,if that's the case I can then put the DOMAIN\SCCM-PUSH-SVC as the Local Administrators on all Workstations only. - YES (you can use Restricted Group)
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
You have A Computer Account (your SCCM Server) in domain admin group?
Active today
You have A Computer Account (your SCCM Server) in domain admin group?As per: https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites
yes I do, so can I remove it safely ?
Active 7 days ago
I can only say that our server computer account is not a member of domain admin group.
You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
You have nothing to loos. You can remove the account from the group. Check that everything is ok, if not put it back again. And i think everything will work just fine.
Active today
OK, so in your Production environment, nothing related to SCCM is member of Domain Admins group ?
Featured Post
Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
Get a first impression of how PRTG looks and learn how it works. This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
- Linux
- Windows OS
- Networking
- Paessler
- Network Management
- Network Analysis, Network Operations
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month4 days, 5 hours left to enroll
630 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.