lstrm Posted November 16, 2014 Report post Posted November 16, 2014 Now that I've got my OSD process working, I have a question around security and best practices surrounding the use of an account for automatically joining copmuters to the domain. I've really been looking around but have been unable to find anyone providing a good explanation of the potential security issues surrounding this. Right now during my LAB-deployments, I have simply provided the credentials to the task sequence, and given this account rights (or actually a security group, who the account is a member of) to manage computer objects in the client machines OU:s, this is as far as I understand how you usually do it. But as I understand it, the password for the domain join account is stored in clear text (or in some other easily decipherable form) in the task sequence. Now my plan for OSD is to constantly have a number of task sequences available to all computers so that a technichan can just choose one fitting for the machine, either through PXE boot or Software Center and start a deployment or reinstall. But this I would assume also means that any malicious employee or attacker can easily gain access to this accounts credentials, and thus potentially weak some serious havoc in my client-computer OU:s (like deleting or changing the passwords on all objects). I just can't wrap my mind around how you handle this in a safe way, or do you simply have to take a chance and risk this for the convenience of auto doman join? I'm only on my first week of sccm experience, so please do set me straight if I've completely misunderstood the process surrounding this. Quote Share this post Link to post Share on other sites More sharing options...
