We help IT Professionals succeed at work.

SCCM Client Push Account

LBTechSol
LBTechSol asked
on
We have the SCCM server setup within a client environment. the SCCM Client Push account is locking out on client machines because of a bad password. It is my understanding that this service account is is used for Pushing the client out to computers.

We are having alerts from internal and remote users (over the VPN) where this account is trying to access something, Is it correct that this account should be calling back to the central server? and if this is to connect back into the network how can this be managed with the password reset schedule for service accounts....?

Thanks in Advance
Comment
Watch Question

Chances are good someone used the SCCM Client Push account somewhere else and thats the reason its locking.
I'd create a new SCCM Client Push account and change SCCM to this one. Then try to find out where the old account gets locked.

This can help:
https://gallery.technet.microsoft.com/Account-Lockout-Troubleshoo-542cb9ff
Leading Engineer
Commented:
Hi,

It sounds like someone is using the account to login. That is a no-no for two reasons 1) that account is a service account and as such does not need to "login". Ever. It connects and authenticates and pushes files to machines and nothing else.
2) it has been compromised it seems.

A common mistake is also giving that account Domain Admin rights. If you have, remove them immediately.

Quote from MS documentation:

This account must be a member of the local Administrators group on the computers where the Configuration Manager client software is to be installed.

This account does not require
Domain Admin rights

You can specify one or more Client Push Installation Accounts; Configuration Manager tries in turn until one succeeds.

Do not grant this account the right to
logon locally.

Ref: Technet (https://technet.microsoft.com/en-us/library/hh427337.aspx

I would do the following:

  1. Create a new client push account - CM_ClientPush
  2. Secure is with GPO to "no logon"
  3. Give it a secure (long and complex) password

I am not sure what to do with the old account as you need to find out who is using it. Disabling it will hide the culprit. Maybe enable auditing on the account, track it and when you find who has it deal with them then delete it.

More info on ALL CM accounts here: http://www.systemcenter.ninja/2012/05/system-cennter-2012-service-accounts.html

regards,

Mike
LBTechSolOperations Director

Author

Commented:
Thanks for the comments guys and supporting my thought on this