Accounts that Configuration Manager uses
Audit ‘Application Group Management’ is set to ‘Success and Failure’ Audit ‘Computer Account Management’ is set to ‘Success and Failure’ Audit ‘Other Account Management Events’ is set to ‘Success and Failure’ Audit ‘Security Group Management’ is set to ‘Success and Failure’ Audit ‘User Account Management’ is set to ‘Success and Failure’
This group is a local security group that Configuration Manager creates on thesite database server or database replica server for a child primary site. Thesite creates it when you use distributed views for database replicationbetween sites in a hierarchy. It contains the site server and SQL Servercomputer accounts of the central administration site.For more information, see Data transfers between sites.
Configuration Manager Remote Control Users
Configuration Manager remote tools use this group to store the accounts andgroups that you set up in the Permitted Viewers list. The site assigns thislist to each client.For more information, see Introduction to remote control.
Accounts that Configuration Manager uses
You can set up the following accounts for Configuration Manager.TipDon’t use the percentage character (`%`) in the password for accounts that youspecify in the Configuration Manager console. The account will fail toauthenticate.
Active Directory user discovery account
The site uses the Active Directory user discovery account to discover useraccounts from the locations in Active Directory Domain Services that youspecify.This account can be a computer account of the site server that runs discovery,or a Windows user account. It must have Read access permission to the ActiveDirectory locations that you specify for discovery.For more information, see Active Directory user discovery.
Configure the network access account
1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Then select the site. 2. On the Settings group of the ribbon, select Configure Site Components, and choose Software Distribution. 3. Choose the Network access account tab. Set up one or more accounts, and then choose OK.
Package access account
A Package access account lets you set NTFS permissions to specify the usersand user groups that can access package content on distribution points. Bydefault, Configuration Manager grants access only to the generic accessaccounts User and Administrator. You can control access for client computersby using additional Windows accounts or groups. Mobile devices always retrievepackage content anonymously, so they don’t use a package access account.By default, when Configuration Manager copies the content files to adistribution point, it grants Read access to the local Users group, and FullControl to the local Administrators group. The actual permissions requireddepend on the package. If you have clients in workgroups or in untrustedforests, those clients use the network access account to access the packagecontent. Make sure that the network access account has permissions to thepackage by using the defined package access accounts.Use accounts in a domain that can access the distribution points. If youcreate or modify the account after you create the package, you mustredistribute the package. Updating the package doesn’t change the NTFSpermissions on the package.You don’t have to add the network access account as a package access account,because membership of the Users group adds it automatically. Restricting thepackage access account to only the network access account doesn’t preventclients from accessing the package.
Manage package access accounts
1. In the Configuration Manager console, choose Software Library. 2. In the Software Library workspace, determine the type of content for which you want to manage access accounts, and follow the steps provided: * Application: Expand Application Management, choose Applications, and then select the application for which to manage access accounts. * Package: Expand Application Management, choose Packages, and then select the package for which to manage access accounts. * Software update deployment package: Expand Software Updates, choose Deployment Packages, and then select the deployment package for which to manage access accounts. * Driver package: Expand Operating Systems, choose Driver Packages, and then select the driver package for which to manage access accounts. * OS image: Expand Operating Systems, choose Operating System Images, and then select the operating system image for which to manage access accounts. * OS upgrade package: Expand Operating Systems, choose Operating system upgrade packages, and then select the OS upgrade package for which to manage access accounts. * Boot image: Expand Operating Systems, choose Boot Images, and then select the boot image for which to manage access accounts. 3. Right-click the selected object, and then choose Manage Access Accounts. 4. In the Add Account dialog box, specify the account type that will be granted access to the content, and then specify the access rights associated with the account.NoteWhen you add a user name for the account, and Configuration Manager finds botha local user account and a domain user account with that name, ConfigurationManager sets access rights for the domain user account.
Site system proxy server account
The following site system roles use the Site system proxy server account toaccess the internet via a proxy server or firewall that requires authenticatedaccess: * Asset Intelligence synchronization point * Exchange Server connector * Service connection point * Software update pointImportantSpecify an account that has the least possible permissions for the requiredproxy server or firewall.For more information, see Proxy server support.
Source site database account
The migration process uses the Source site database account to access the SQLServer database for the source site. To gather data from the SQL Serverdatabase of the source site, the source site database account must have theRead and Execute permissions to the source site’s SQL Server database.If you use the Configuration Manager (current branch) computer account, makesure that all the following are true for this account: * It’s a member of the Distributed COM Users security group in the same domain as the Configuration Manager 2007 site * It’s a member of the SMS Admins security group * It has the Read permission to all Configuration Manager 2007 objectsNoteBoth the source site account and the source site database account areidentified as Migration Manager in the Accounts node of the Administrationworkspace in the Configuration Manager console.For more information, see Migrate data between hierarchies.
Task sequence network folder connection account
The task sequence engine uses the Task sequence network folder connectionaccount to connect to a shared folder on the network. This account is requiredby the Connect to Network Folder task sequence step.This account requires permissions to access the specified shared folder. Itmust be a domain user account.TipCreate one domain user account with minimal permissions to access the requirednetwork resources, and use it for all task sequences.ImportantDon’t assign interactive sign-in permissions to this account.Don’t use the network access account for this account.
User objects that Configuration Manager uses in SQL Server
Configuration Manager automatically creates and maintains the following userobjects in SQL. These objects are located within the Configuration Managerdatabase under Security/Users.ImportantModifying or removing these objects may cause drastic issues within aConfiguration Manager environment. We recommend you do not make any changes tothese objects.