Have you ever tried to understand the functionality of AD accounts used in ConfigMgr? I think, we need to do more Planning in AD account allocation for Configuration Manager 2012 and 2007. Wrong allocation of accounts can result in unexpected behavior in the environment. Recently, I was asked to troubleshoot on a cross forest client communication issues. Finally, the issue turned out to be with wrong account allocation. I’ll provide more details on this issue in next post.
What are the important points that we need to understand before performing AD accounts allocation for CM 2012? First and foremost, we need to understand the functionality of each account. One perfect example is below.
The Active Directory Forest Account is used to discovery network infrastructure from Active Directory forests. This account is also used by CAS and primary sites to publish site data to the AD forest. This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data.
AD account details are explained in the GitHub article. However, it’s not very easy to find these details. Download the PDF file which will provide you the details in the following format from here. Account Name, Details about the Account usage, functions, and Permission requirement of the account.
10 other very important points that we need to remember as SCCM/ConfigMgr administrators given below.
1. AD Group Discovery Account: Distribution groups are not discovered as group resources.
2. Capture Operating System Image Account : Do not assign this account interactive logon permissions. Do not use the Network Access account for this account.
3. Client Push Installation Account : Do not grant this account the right to log on locally.
4. Health State Reference Querying Account, Management Point Database Connection Account, Multicast Connection Account: Do not grant this account interactive logon rights.
5. Network Access Account : Do not grant this account interactive logon rights. Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account.
6.Package Access Account : Do not have to add the Network Access Account as a Package Access Account.
7.Software Update Point Connection Account: The Site System Installation Account can install components for software updates, but cannot perform software updates-specific functions on the software update point. If you cannot use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the Site System Installation Account.
8. Site System Installation Account: Configuration Manager also uses Site System Installation Account to pull data from the site system computer after the site system and any site system roles are installed. Each site system can have a different Site System Installation Account, but you can configure only one Site System Installation Account to manage all site system roles on that site system.
9.Task Sequence Editor Domain Joining Account: Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.
10. Task Sequence Editor Network Folder Connection Account: Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.
More details on Technet Article here.
Hi good doc on the AD accounts and restrictions.. I have been wondering for a long time which account is being used while taking remote control? Is it network access account?
Hi Ajay ! – More details here. https://anoopcnair.com/windows-local-groups-created-and-used-by-configmgr-2012-sp1/
Thank you very much Anoop.. got cleared.. feeling bad for not knowing all these days..