myITforum and Windows IT Pro Forums

 SCCM Client installation account

Author Message
csharma180

  • Total Posts : 418
  • Scores: -6
  • Reward points : 41720
  • Joined: 12/29/2008
  • Status: offline
SCCM Client installation account Friday, January 09, 2009 10:48 PM (permalink)
0
Hi All,
I have to implement SCCM Client push installation in my production environment, But one of the prerequisite of the Client push installation is to have a common user account/SMS Site Server’s machine account to be added on all the workstation machines.
 
In our Production environment we don’t have any common account added on all the workstations that we can use for Client Push installation. So I left with one option that is to use Domain Admin account.
 
Now I have to create a business case for AD team in order to get the domain admin privileges.And I need to know the answer to the following question for the same
 
1.       What would be the consequences of using Domain Admin Account for Push installation?
2.       If AD Team creates a Domain Admin User Account for SMS and add the same in SCCM Client push installation properties. Providing they will keep the password of that account with themselves. Does this create any security threat?
3.       What role does Client push installation account play in SCCM Client installation?
4.       Once the Client got installed on all the machines will that domain Admin/Client push installation account will be used in anyways.
 
 
 
#1
    gjones

    • Total Posts : 2495
    • Scores: 142
    • Reward points : 142630
    • Joined: 6/5/2001
    • Location: Ottawa, Ontario, Canada
    • Status: offline
    RE: SCCM Client installation account Saturday, January 10, 2009 10:14 AM (permalink)
    0
    Why wouldn't you add the ConfigMgr Machine account to domain admins, this would be more secure than using a domain user account?
     
    #2
      csharma180

      • Total Posts : 418
      • Scores: -6
      • Reward points : 41720
      • Joined: 12/29/2008
      • Status: offline
      RE: SCCM Client installation account Saturday, January 10, 2009 11:22 AM (permalink)
      0
      I understand i can also use Config Mgr Machine account. But i wanted to understand in above mentioned scenarios which all options i have and what would be the answers to the questions mentioned in the Post
       
      #3
        wbracken

        • Total Posts : 700
        • Scores: 26
        • Reward points : 1900
        • Joined: 4/12/2002
        • Location: St. Louis
        • Status: offline
        RE: SCCM Client installation account Saturday, January 10, 2009 10:13 PM (permalink)
        0

        ORIGINAL: csharma180

        Hi All,
        I have to implement SCCM Client push installation in my production environment, But one of the prerequisite of the Client push installation is to have a common user account/SMS Site Server’s machine account to be added on all the workstation machines.
         
        In our Production environment we don’t have any common account added on all the workstations that we can use for Client Push installation. So I left with one option that is to use Domain Admin account.
         
        Now I have to create a business case for AD team in order to get the domain admin privileges.And I need to know the answer to the following question for the same
         
        1.       What would be the consequences of using Domain Admin Account for Push installation? - The consequence is really just that this is a much less secure option.  If your account gets compromised they have admin access to the domain.  Best practices is to not use a domain admin account.
        2.       If AD Team creates a Domain Admin User Account for SMS and add the same in SCCM Client push installation properties. Providing they will keep the password of that account with themselves. Does this create any security threat?  No more than stated above.
        3.       What role does Client push installation account play in SCCM Client installation?  It the account that is used to install the actual client.  This account at it basics need administrative rights to the workstation as well as general read rights to the MP client install share.
        4.       Once the Client got installed on all the machines will that domain Admin/Client push installation account will be used in anyways.  This account is only used for installing the client.
         
         

         
        Personally I think a better option would be to create an AD group, use GPO's to apply this account to the local administrators group and then add a non domain admin account to that group.  I dont even use client push myself but if I was forced to that would be my route.  ;)
        William Bracken

        Visit my new Blog
        http://wbracken.wordpress.com/
         
        #4
          ExpertIT

          • Total Posts : 277
          • Scores: 31
          • Reward points : 15690
          • Joined: 10/28/2008
          • Location: GURGAON, India
          • Status: offline
          RE: SCCM Client installation account Sunday, January 11, 2009 12:40 AM (permalink)
          0
          Dear Csharma,
           
          I got your problem and would suggest you to add the sccmclient installation account in the local administrator group of all the production machines. It can be possible through logon script.
           
          Create a script to add the specific account in local administrator group and use it as logon script.
           
          Thanks. 
           
          #5
            gjones

            • Total Posts : 2495
            • Scores: 142
            • Reward points : 142630
            • Joined: 6/5/2001
            • Location: Ottawa, Ontario, Canada
            • Status: offline
            RE: SCCM Client installation account Sunday, January 11, 2009 9:57 AM (permalink)
            0

            ORIGINAL: SMSExpert
            Create a script to add the specific account in local administrator group and use it as logon script.

             
            This only works if the users are local admins, otherwise they will not have the permissions to added the account to the local administrator group.
             
            If you are talking about a PC start-up script, when why would you use a GPO which will be more reliable or even better add the site server machine account to domain admins, which is added to the local administrator group by default.
             
             
            #6
              Online Bookmarks Sharing: Share/Bookmark

              Jump to:

              Current active users

              There are 0 members and 1 guests.

              Icon Legend and Permission

              • New Messages
              • No New Messages
              • Hot Topic w/ New Messages
              • Hot Topic w/o New Messages
              • Locked w/ New Messages
              • Locked w/o New Messages
              • Read Message
              • Post New Thread
              • Reply to message
              • Post New Poll
              • Submit Vote
              • Post reward post
              • Delete my own posts
              • Delete my own threads
              • Rate post

              2000-2014 ASPPlayground.NET Forum Version 3.9