SCCM Client Push Account

We have the SCCM server setup within a client environment. the SCCM Client Push account is locking out on client machines because of a bad password. It is my understanding that this service account is is used for Pushing the client out to computers.

We are having alerts from internal and remote users (over the VPN) where this account is trying to access something, Is it correct that this account should be calling back to the central server? and if this is to connect back into the network how can this be managed with the password reset schedule for service accounts....?

Thanks in Advance
LVL 5
LBTechSolOperations DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
Chances are good someone used the SCCM Client Push account somewhere else and thats the reason its locking.
I'd create a new SCCM Client Push account and change SCCM to this one. Then try to find out where the old account gets locked.

This can help:
https://gallery.technet.microsoft.com/Account-Lockout-Troubleshoo-542cb9ff
0
Mike TLeading EngineerCommented:
Hi,

It sounds like someone is using the account to login. That is a no-no for two reasons 1) that account is a service account and as such does not need to "login". Ever. It connects and authenticates and pushes files to machines and nothing else.
2) it has been compromised it seems.

A common mistake is also giving that account Domain Admin rights. If you have, remove them immediately.

Quote from MS documentation:

This account must be a member of the local Administrators group on the computers where the Configuration Manager client software is to be installed.

This account does not require
Domain Admin rights

You can specify one or more Client Push Installation Accounts; Configuration Manager tries in turn until one succeeds.

Do not grant this account the right to
logon locally.

Ref: Technet (https://technet.microsoft.com/en-us/library/hh427337.aspx

I would do the following:

  1. Create a new client push account - CM_ClientPush
  2. Secure is with GPO to "no logon"
  3. Give it a secure (long and complex) password

I am not sure what to do with the old account as you need to find out who is using it. Disabling it will hide the culprit. Maybe enable auditing on the account, track it and when you find who has it deal with them then delete it.

More info on ALL CM accounts here: http://www.systemcenter.ninja/2012/05/system-cennter-2012-service-accounts.html

regards,

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LBTechSolOperations DirectorAuthor Commented:
Thanks for the comments guys and supporting my thought on this
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.