Permissions for SCCM Service AccountIs SCCM overkill for medium-sized organizations?Packaging Office apps for SCCM 2012SCCM 2012 - Multi-domain?How do you conduct your SCCM updates?SCCM 2012: SQL Server service running accountChange SCCM Service Broker PortSCCM 2012 software updates failingCannot deploy SCCM 2012 clientWhat are the minimum permissions needed to manage DNS Policies in Server 2016?GetDPLocations failed with error 0x80004005
What detail can Hubble see on Mars?
A♭ major 9th chord in Bach is unexpectedly dissonant/jazzy
How is it believable that Euron could so easily pull off this ambush?
Latex editor/compiler for Windows and Powerpoint
When does WordPress.org notify sites of new version?
why it is 2>&1 and not 2>>&1 to append to a log file
Make me a minimum magic sum
How to get the decimal part of a number in apex
Appropriate age to involve kids in life changing decisions
Can anyone identify this unknown 1988 PC card from The Palantir Corporation?
In a series of books, what happens after the coming of age?
While drilling into kitchen wall, hit a wire - any advice?
call() a function within its own context
Splitting polygons and dividing attribute value proportionally using ArcGIS Pro?
Justification of physical currency in an interstellar civilization?
If an attacker targets a creature with the Sanctuary spell cast on them, but fails the Wisdom save, can they choose not to attack anyone else?
In the figure, a quarter circle, a semicircle and a circle are mutually tangent inside a square of side length 2. Find the radius of the circle.
How to increase speed on my hybrid bike with flat handlebars and 700X35C tyres?
How do I give a darkroom course without negs from the attendees?
What is the Ancient One's mistake?
Where do 5 or more U.S. counties meet in a single point?
What does the copyright in a dissertation protect exactly?
Crime rates in a post-scarcity economy
Searching for a sentence that I only know part of it using Google's operators
Permissions for SCCM Service Account
Is SCCM overkill for medium-sized organizations?Packaging Office apps for SCCM 2012SCCM 2012 - Multi-domain?How do you conduct your SCCM updates?SCCM 2012: SQL Server service running accountChange SCCM Service Broker PortSCCM 2012 software updates failingCannot deploy SCCM 2012 clientWhat are the minimum permissions needed to manage DNS Policies in Server 2016?GetDPLocations failed with error 0x80004005
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Does anyone know what is the least privileged Active Directory security group needed for the MS-SCCM 2012 service account to do software updates via Configuration Manager? ConfigMgr runs fine with the account being in Domain Admins, but I’d like to give it less permission. I’ve heard that it could be made a local admin on every target device through group policy, but I’m hoping that there’s a better solution. Digging through TechNet has not yielded surprisingly little.
Thanks
active-directory sccm-2012
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
add a comment |
Does anyone know what is the least privileged Active Directory security group needed for the MS-SCCM 2012 service account to do software updates via Configuration Manager? ConfigMgr runs fine with the account being in Domain Admins, but I’d like to give it less permission. I’ve heard that it could be made a local admin on every target device through group policy, but I’m hoping that there’s a better solution. Digging through TechNet has not yielded surprisingly little.
Thanks
active-directory sccm-2012
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
add a comment |
Does anyone know what is the least privileged Active Directory security group needed for the MS-SCCM 2012 service account to do software updates via Configuration Manager? ConfigMgr runs fine with the account being in Domain Admins, but I’d like to give it less permission. I’ve heard that it could be made a local admin on every target device through group policy, but I’m hoping that there’s a better solution. Digging through TechNet has not yielded surprisingly little.
Thanks
active-directory sccm-2012
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
Does anyone know what is the least privileged Active Directory security group needed for the MS-SCCM 2012 service account to do software updates via Configuration Manager? ConfigMgr runs fine with the account being in Domain Admins, but I’d like to give it less permission. I’ve heard that it could be made a local admin on every target device through group policy, but I’m hoping that there’s a better solution. Digging through TechNet has not yielded surprisingly little.
Thanks
active-directory sccm-2012
active-directory sccm-2012
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
asked Sep 16 '14 at 20:33
mpavittmpavitt
62
62
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
My knowledge on the particulars of SCCM 2012 are somewhat limited. But installing software updates on Windows is pretty straightforward. You need an account with local administrator or SYSTEM level permissions to affect system-wide changes like a software update. So yes, at the very least your service account should be added to the local administrators group on each client device. How you accomplish that is kind of up to you, but the easiest probably is group policy.
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f629007%2fpermissions-for-sccm-service-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
My knowledge on the particulars of SCCM 2012 are somewhat limited. But installing software updates on Windows is pretty straightforward. You need an account with local administrator or SYSTEM level permissions to affect system-wide changes like a software update. So yes, at the very least your service account should be added to the local administrators group on each client device. How you accomplish that is kind of up to you, but the easiest probably is group policy.
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
add a comment |
My knowledge on the particulars of SCCM 2012 are somewhat limited. But installing software updates on Windows is pretty straightforward. You need an account with local administrator or SYSTEM level permissions to affect system-wide changes like a software update. So yes, at the very least your service account should be added to the local administrators group on each client device. How you accomplish that is kind of up to you, but the easiest probably is group policy.
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
add a comment |
My knowledge on the particulars of SCCM 2012 are somewhat limited. But installing software updates on Windows is pretty straightforward. You need an account with local administrator or SYSTEM level permissions to affect system-wide changes like a software update. So yes, at the very least your service account should be added to the local administrators group on each client device. How you accomplish that is kind of up to you, but the easiest probably is group policy.
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
My knowledge on the particulars of SCCM 2012 are somewhat limited. But installing software updates on Windows is pretty straightforward. You need an account with local administrator or SYSTEM level permissions to affect system-wide changes like a software update. So yes, at the very least your service account should be added to the local administrators group on each client device. How you accomplish that is kind of up to you, but the easiest probably is group policy.
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
answered Sep 16 '14 at 20:55
Ryan BolgerRyan Bolger
14.1k23151
14.1k23151
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f629007%2fpermissions-for-sccm-service-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
