SCCM admin account on server

[liquidcourage1]

We are looking at a huge deployment of SCCM and I thought SCCM needed an account user that had domain administration rights. Is this incorrect?

 

What is the highest level of access this account needs within the domain? Keep in mind the following:

 

The server will take care of asset management, imaging (PXE), and patch management.

[Prajwal Desai]

Domain Admin and enterprise Admin.

[anyweb]

the System Center Configuration Manager SMSadmin user only needs to be a Local Administrator of the SCCM server itself, no need to be a domain admin, that's overkill and a security risk

[waingro]

We already had a group that granted local workstation admin rights to our deskside team which was enforced using a GPO. We put our SCCM service account in that group so we could deploy clients to a pre-existing environment after enabling certificates for native mode. Don't use this approach on a DC! That'll give the service account domain admin rights - just do a manual install on those machines. Once the client has been deployed across the domain you can remove this membership as long as you are deploying OS's using SCCM - the services run as Local System and SCCM will handle the new client installs for you during OS deployment. I recommend using a long complex password for the service account.

 

Basically the account needs to have enough rights to install the client on pre-existing machines (IF you aren't refreshing the OS using SCCM) and it needs local admin rights on the SCCM server and the remote SQL server (if applicable).

[liquidcourage1]

So I don't need domain admin access to push out the client to pre-existing machines?

[anyweb]

tp install the client on existing machines you need a separate client push account, THAT account must be a member of the Local Administrators group on the machines you intend to install the client on