SCCM AD Accounts Used by ConfigMgr? Have you ever tried understanding the functionality of AD accounts used in ConfigMgr? We need to do more Planning in AD account allocation for Configuration Manager 2012, 2007, and 2012.
What important points must we understand before performing AD accounts allocation for CM 2012? First and foremost, we need to understand the functionality of each account. One perfect example is below.
Wrong account allocation can result in unexpected behavior in the environment. Recently, I was asked to troubleshoot a cross-forest client communication issue.
Finally, the issue was caused by the wrong account allocation. I’ll provide more details on this issue in the next post.
Table of Contents
SCCM AD Accounts Used by ConfigMgr
The Active Directory Forest Account is used to discover network infrastructure from Active Directory forests. CAS and primary sites also use this account to publish site data to the AD forest.
- How to Configure SCCM Active Directory System Discovery
- Create SCCM Collection using AD Group – Part 3 | ConfigMgr
This account must have full control permissions to access the System Management container and all its child objects in each Active Directory forest where you want to publish site data. SCCM AD Accounts are used by the ConfigMgr Endpoint Manager.
AD account details are explained in the GitHub article. However, it’s not very easy to find these details. Download the PDF file, which will provide you with the details in the following format. Account Name, Details about the Account usage, functions, and Permission requirement.
10 other very important points that we need to remember as SCCM/ConfigMgr administrators are given below.
1. AD Group Discovery Account: Distribution groups are not discovered as group resources.
2. Capture Operating System Image Account: Do not assign this account interactive logon permissions. Do not use the Network Access account for this account. SCCM AD Accounts Used by ConfigMgr
3. Client Push Installation Account: Do not grant this account the right to log on locally.
4. Health State Reference Querying Account, Management Point Database Connection Account, Multicast Connection Account: Do not grant this account interactive logon rights.
5. Network Access Account: Do not grant this account interactive logon rights or the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account. SCCM AD Accounts Used by ConfigMgr
6. Package Access Account: You do not have to add the Network Access Account as a Package Access Account.
7. Software Update Point Connection Account: The Site System Installation Account can install components for software updates but cannot perform software update-specific functions on the software update point. If you cannot use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the Site System Installation Account. SCCM AD Accounts Used by ConfigMgr
8. Site System Installation Account: Configuration Manager also uses the Site System Installation Account to pull data from the site system computer after installing the site system and any site system roles. Each site system can have a different Site System Installation Account. Still, you can configure only one Site System Installation Account to manage all site system roles on that site system. SCCM AD Accounts Used by ConfigMgr
9. Task Sequence Editor Domain Joining Account: Do not assign this account interactive logon permissions or use the Network Access Account for it.
10. Task Sequence Editor Network Folder Connection Account: Do not assign this account interactive logon permissions or use the Network Access Account for it.
Resources
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here – HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Hi good doc on the AD accounts and restrictions.. I have been wondering for a long time which account is being used while taking remote control? Is it network access account?
Hi Ajay ! – More details here. https://www.anoopcnair.com/windows-local-groups-created-and-used-by-configmgr-2012-sp1/
Thank you very much Anoop.. got cleared.. feeling bad for not knowing all these days..