Push account type local admin vs domain admin

[jackvdbuk]

Hi all,

 

trying to work out why i cant use the %COMPUTERNAME%\Administrator account to push clients as i just get errors in CCMSETUP

 

to confirm from my understanding you can use a local admin account if it has access to the machine you are installing the client to? we have a default admin account on all machines with the same password but this type of push doesn't work as per below.

 

the push install works successfully using my domain admin credentials but of course if my password expires or my account is disabled (leave) this causes issues in deployments that are undeeded..? is my understanding of this correct? we can use mutiple domain admin accounts but all these type of accounts passwords expire..

 

---> Trying each entry in the SMS Client Remote Installation account list SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Attempting to connect to administrative share '\\MACHINENAME\admin$' using account '%computername%\administrator' SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account %computername%\administrator (00000569) SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Attempting to connect to administrative share '\\MACHINENAME\admin$' using machine account. SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Failed to connect to \\MACHINENAME\admin$ using machine account (5) SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> ERROR: Failed to connect to the \\MACHINENAME\admin$ share using account 'Machine Account' SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Trying each entry in the SMS Client Remote Installation account list SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Attempting to connect to administrative share '\\MACHINENAME\admin$' using account '%computername%\administrator' SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account %computername%\administrator (00000569) SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Attempting to connect to administrative share '\\MACHINENAME\admin$' using machine account. SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Failed to connect to \\MACHINENAME\admin$ using machine account (5) SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> ERROR: Failed to connect to the \\MACHINENAME\admin$ share using account 'Machine Account' SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Trying each entry in the SMS Client Remote Installation account list SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Attempting to connect to administrative share '\\MACHINENAME\admin$' using account '%computername%\administrator' SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account %computername%\administrator (00000569) SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Attempting to connect to administrative share '\\MACHINENAME\admin$' using machine account. SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> Failed to connect to \\MACHINENAME\admin$ using machine account (5) SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> ERROR: Failed to connect to the \\MACHINENAME\admin$ share using account 'Machine Account' SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

---> ERROR: Unable to access target machine for request: "16777287", machine name: "MACHINENAME", access denied or invalid network path. SMS_CLIENT_CONFIG_MANAGER 25/08/2016 14:01:22 10528 (0x2920)

[Rocket Man]

Have you tried %machinename%?

Make sure that this local account administrator is not disabled as it does be by default?

If using another local account make sure its a member of the local administrators group on the systems.

[GarthMJ]

The %computername% will not do what you want as it will always be the site server. You should use an domain account.

[tregelen]

You should have a domain service account created and added to the local admins group on the machines. I believe that is part of the MS best practices.

[jackvdbuk]

You should have a domain service account created and added to the local admins group on the machines. I believe that is part of the MS best practices.

Thats fair enough, but if the account has an non expiring password and is on the domain - this would break our IT policy here at the company...

 

i guess i will have to use my own admin account and other admin accounts as backup if one expires..as this is governed by higher ups that will not allow a "machine" admin account

[GarthMJ]

Thats fair enough, but if the account has an non expiring password and is on the domain - this would break our IT policy here at the company...

 

i guess i will have to use my own admin account and other admin accounts as backup if one expires..as this is governed by higher ups that will not allow a "machine" admin account

 

Why does the password have to never expirer? There is no requirement for account with non-expiring PW.

Why can't you have two account with offsetting password reset dates?

[jackvdbuk]

 

Why does the password have to never expirer? There is no requirement for account with non-expiring PW.

Why can't you have two account with offsetting password reset dates?

Good point i guess, i just had it that it would be possible to use a local admin account for deployment on all machines to prevent a incorrect password being a reason it doesn't deploy in future.