Re: Administrator--Client installation account problem

From: BugginOuT (BugginOuT_at_optonline.net)
Date: 10/29/04

Next message: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Previous message: Bippen Bisht [MSFT]: "Re: Scanwrapper.exe"
In reply to: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Next in thread: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Reply: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 29 Oct 2004 15:02:41 -0400

I guess we both have the same problem here.

Wouldn't the Domain Admin have the same privileges as a Local Admin on a
workstation?

I have most of the services attached with the Domain Admin account, but I'm
not seeing any agents being installed or Push-Client be initiated.

I believe when I specified my SMS Service account, I associated with my
Domain Admin Account, is this wrong?

On Question #4: Jeff said to use a Regular domain user, would the Domain
Admin account matter?

"Jeff Harbaugh [MSFT]" <jeffharb@online.microsoft.com> wrote in message
news:OKGmRPevEHA.2536@TK2MSFTNGP11.phx.gbl...
> 1. The SMS Service accoutn is the one you specified during setup. If you
> are using advanced security the account is the local system account.
> 2. You do not have to be in advanced security to push the client.
> 3. This account can be a domain user account. (the restriction is that the
> account needs to be a local admin on the client machines.) Also you can
> use %Machinename%\Administrator. of course providing the Administrator
> account has the same password on all the clients.
> 4. Regular domain user.
>
> That is why most people add a domain admin account to the push account so
> you do not have to add it manually to all computers. This is not required
> though.
> In order to execute software on the clients we need to have admin access
> to the machines, which is why we require the account to be a local admin
> on the clients.
>
> --
> Thanks,
> Jeff Harbaugh [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Richard" <Richard@discussions.microsoft.com> wrote in message
> news:D8AE02A9-4774-45E1-BB9E-BBCE2ABB5B0C@microsoft.com...
>> It states in the SMS 2003 Admin. Companion book, "Be sure that whatever
>> client installation account you're using---the SMS Service account or
>> your
>> own designated SMS Client Push Installation account--has local admin.
>> rights
>> on the client."
>>
>> I am starting to deploy to the clients using the Advanced Client.
>>
>> I have some questions on how to setup the security in various areas of
>> SMS:
>>
>> 1. Which System Service is the "SMS Service" account--is it the
>> SMS_EXECUTIVE service or other?
>> 2. Should this System Service be changed from Local System to domain
>> administrator in order to be able to succesfully push out the clients
>> using
>> the Client Push Install Wizard?
>> 3. In Client Push Install Methods-->Client Push Installation, what type
>> of
>> account needs to be listed--a Domain Admins group user (insecure),
>> regular
>> user account, other?
>> 4. In Component Configuration-->Software Configuration-->Software
>> Distribution, what type of account needs to be listed for Advanced Client
>> Network Access Account?
>>
>> Do all of these accounts need to have some sort of local admin. access or
>> domain admin. access or can some of them be regular user accounts? I
>> want to
>> configure SMS to be secure but hopefully without having to goto each PC
>> to
>> add a newly created domain admin. user directly to each PCs' Local
>> Admin's
>> group.
>>
>> Thanks
>> Richard
>
>

Next message: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Previous message: Bippen Bisht [MSFT]: "Re: Scanwrapper.exe"
In reply to: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Next in thread: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Reply: Jeff Harbaugh [MSFT]: "Re: Administrator--Client installation account problem"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: a way to set source for capinst.exe?
... > account kicks off ccmsetup /service would have to have local admin rights ... > started this process doesn't have to remain logged in and the SMS client ... >> installation is completed. ...
(microsoft.public.sms.admin)
Re: a way to set source for capinst.exe?
... when the user is a local admin and I don't want capinst to have to pull from ... account kicks off ccmsetup /service would have to have local admin rights to ... started this process doesn't have to remain logged in and the SMS client ... > to complete the Advanced Client installation are: ...
(microsoft.public.sms.admin)
Re: Administrator--Client installation account problem
... I stated the account was only required to be a ... Of course if it is a domain admin that works also. ... Jeff said to use a Regular domain user, ... You do not have to be in advanced security to push the client. ...
(microsoft.public.sms.admin)
Re: User account to run WSUS under
... I suppose you could log on as the local admin account, I'm not sure what that gives you, since the domain admin is also a member of the local admin's group...still a highly priviledged user account and group membership... ... Can I install WSUS 3.0 by logging onto my SBS machine as a local admin? ...
(microsoft.public.windows.server.sbs)
Re: Client Push Installation Security
... Client push account doesn't need to be a domain Admin account but it needs ... If you have an account which is a local admin ... it doesn't need to be a domain admin. ...
(microsoft.public.sms.swdist)