Sunday, 10 February 2013

ConfigMgr 2012 / SCCM 2012 SP1 Step by Step Guide Part 4: ConfigMgr Service Accounts

Back to main menu

Part 4 describes the configuration of Config Mgr Service Accounts

Two service accounts are required - note that they can be the same domain account

1. Client Push Installation account

Select Administration/Site Configuration/Site
On top ribbon choose Client Installation settings




Select Accounts tab
Click Orange Star to configure Client Push Installation account. This account must be local administrator on all client devices. This can be achived by using Active Directory Restricted Groups (athough some customers just use a Domain Administrator account - not best practice)


Select the option to Enable automatic client installation when a computer is discovered via Config Mgr.


2. Network Access Account

Select Configure Site Components on the ribbon
Select Software Distribution Component

Configure the Network Access account. This is a regular domain account and is used in Operating System Deployment and Software Distribution to connect to the Distribution Point (otherwise the SCCMServer$ account is used and by default cannot connect to the DP). 

This account requires "Access this computer from the network" rights on the DP (which it will have by default). 



16 comments:

  1. It also requires "Access this computer from the network" rights on the DP
    Everyone and authentication group already has this right !! why requires add account to this group

    ReplyDelete
  2. That section was badly written. Thanks for pointing it out. I've revised it now.

    ReplyDelete
  3. Gerry did i meet you at the Wally Mead, event in London. My name is Terence originally from Dublin but living in Ireland. If you are its a bloody small world :)
    Good site.

    ReplyDelete
  4. That was me all right Terence. How's it going? Why don't you connect to me on Linked In and we can have a chat.

    ReplyDelete
  5. Sound good Gerry, i will add you to Tweeter too :)

    ReplyDelete
  6. the last stap doesnet work for me. I have added the users to the gpo and did a /force command, but when i want to add the users, ad cant find them..

    ReplyDelete
  7. I don't understand "I have added the users to the gpo" and "when i want to add the users, ad cant find them".

    It is required that the Network Access account has "Access this computer from the network" rights on the DP. The last screenshot shows that Everyone has this access so no further configuration should be neccessary. I've stated that above:

    This account requires "Access this computer from the network" rights on the DP (which it will have by default).

    ReplyDelete
  8. I am getting Insufficient access rights under Publishing Status. Please help.

    ReplyDelete
    Replies
    1. Are you seeing this in Administration > Active Directory Forests > Publishing Status tab?

      This means that you are unable to publish your site to AD. Typically that means that you have not granted permission to your SCCM_Site_Server computer account over the System Management container.

      Have you done this? You need to delegate control of the container to the computer object (Full Control).

      Delete
  9. Hi Gerry, You mentioned on this page - "Otherwise the SCCMServer$ account is used and by default cannot connect to the DP". Is there any configuration required to make it work so that I dont have to specify a separate Network Access Account?

    ReplyDelete
    Replies
    1. I recommend that you DO specify a Network Access Account Sandeep. It's common practice.

      Delete
  10. Hi Gerry - thought of posting it here as it might help some one facing the issue. I have SCCM 2012 R2 with CU4 installed. SCCM 2012 R2 not support the Client Push Installation accounts whose account name has hypen "-". Even though I had configured to 2 accounts both had "-", but CCM log had these entries "---> Warning: no remote client installation account found SMS_CLIENT_CONFIG_MANAGER 2/6/2015 11:48:16 PM 6940 (0x1B1C)" It started working only after I tried with another account which did not have hyphen. While I was trouble shooting I was getting these strange entries in the logs as well.WARNING: Unable to get client connection account from site control file on server SMS_CLIENT_CONFIG_MANAGER 2/6/2015 11:48:57 PM 4364 (0x110C)"

    ReplyDelete
    Replies
    1. Thanks Sandeep. I haven't heard that before.

      Delete
  11. so do we creat new account or use SCCMAdmin account?

    ReplyDelete
    Replies
    1. What specifically are you referring to?

      Delete
  12. Hi Gerry, Doesn't look like I can change the "Access thus computer from the network" Logged in with domain admin and local admin. Add user or group greyed out. Any ideas?
    Thanks
    Peter

    ReplyDelete