SCCM AD Accounts Used by ConfigMgr Endpoint Manager? Have you ever tried to understand the functionality of AD accounts used in ConfigMgr? We need to do more Planning in AD account allocation for Configuration Manager 2012, 2007, and 2012.
Wrong allocation of accounts can result in unexpected behavior in the environment. Recently, I was asked to troubleshoot a cross-forest client communication issue. Finally, the issue turned out to be with the wrong account allocation. I’ll provide more details on this issue in the next post.
SCCM AD Accounts Used by ConfigMgr Endpoint Manager
What are the important points we need to understand before performing AD accounts allocation for CM 2012? First and foremost, we need to understand the functionality of each account. One perfect example is below.
The Active Directory Forest Account is used to discover network infrastructure from Active Directory forests. This account is also used by CAS and primary sites to publish site data to the AD forest.
This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data. SCCM AD Accounts Used by ConfigMgr Endpoint Manager.
AD account details are explained in the GitHub article. However, it’s not very easy to find these details. Download the PDF file, which will provide you with the details in the following format. Account Name, Details about the Account usage, functions, and Permission requirement.
10 other very important points that we need to remember as SCCM/ConfigMgr administrators are given below.
1. AD Group Discovery Account: Distribution groups are not discovered as group resources.
2. Capture Operating System Image Account: Do not assign this account interactive logon permissions. Do not use the Network Access account for this account.
3. Client Push Installation Account: Do not grant this account the right to log on locally.
4. Health State Reference Querying Account, Management Point Database Connection Account, Multicast Connection Account: Do not grant this account interactive logon rights.
5. Network Access Account: Do not grant this account interactive logon rights. Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account.
6. Package Access Account: You do not have to add the Network Access Account as a Package Access Account.
7. Software Update Point Connection Account: The Site System Installation Account can install components for software updates but cannot perform software update-specific functions on the software update point. If you cannot use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the Site System Installation Account.
8. Site System Installation Account: Configuration Manager also uses Site System Installation Account to pull data from the site system computer after the site system and any site system roles are installed. Each site system can have a different Site System Installation Account. Still, you can configure only one Site System Installation Account to manage all site system roles on that site system.
9. Task Sequence Editor Domain Joining Account: Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.
10. Task Sequence Editor Network Folder Connection Account: Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.
Resources
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a logger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hi good doc on the AD accounts and restrictions.. I have been wondering for a long time which account is being used while taking remote control? Is it network access account?
Hi Ajay ! – More details here. https://www.anoopcnair.com/windows-local-groups-created-and-used-by-configmgr-2012-sp1/
Thank you very much Anoop.. got cleared.. feeling bad for not knowing all these days..