Re: Administrator--Client installation account problem

From: Jeff Harbaugh [MSFT] (jeffharb_at_online.microsoft.com)
Date: 10/29/04 

Date: Fri, 29 Oct 2004 12:26:07 -0700

You asked about requirements. I stated the account was only required to be a
domain user. Of course if it is a domain admin that works also. Yes the
domain admin will be a local admin on all clients. Have you enabled
Discovery Methods and puhs installation? By default these are turned off to
reduce network traffic. Also have you configured the site boundaries? SMS
needs to have discovered the resources before we can install via push. 

-- 
Thanks,
Jeff Harbaugh [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"BugginOuT" <BugginOuT@optonline.net> wrote in message 
news:un8ZfnevEHA.2540@TK2MSFTNGP09.phx.gbl...
>I guess we both have the same problem here.
>
> Wouldn't the Domain Admin have the same privileges as a Local Admin on a 
> workstation?
>
> I have most of the services attached with the Domain Admin account, but 
> I'm not seeing any agents being installed or Push-Client be initiated.
>
> I believe when I specified my SMS Service account, I associated with my 
> Domain Admin Account, is this wrong?
>
> On Question #4:  Jeff said to use a Regular domain user, would the Domain 
> Admin account matter?
>
> "Jeff Harbaugh [MSFT]" <jeffharb@online.microsoft.com> wrote in message 
> news:OKGmRPevEHA.2536@TK2MSFTNGP11.phx.gbl...
>> 1. The SMS Service accoutn is the one you specified during setup. If you 
>> are using advanced security the account is the local system account.
>> 2. You do not have to be in advanced security to push the client.
>> 3. This account can be a domain user account. (the restriction is that 
>> the account needs to be a local admin on the client machines.) Also you 
>> can use %Machinename%\Administrator. of course providing the 
>> Administrator account has the same password on all the clients.
>> 4. Regular domain user.
>>
>> That is why most people add a domain admin account to the push account so 
>> you do not have to add it manually to all computers. This is not required 
>> though.
>> In order to execute software on the clients we need to have admin access 
>> to the machines, which is why we require the account to be a local admin 
>> on the clients.
>>
>> -- 
>> Thanks,
>> Jeff Harbaugh [MSFT]
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>> "Richard" <Richard@discussions.microsoft.com> wrote in message 
>> news:D8AE02A9-4774-45E1-BB9E-BBCE2ABB5B0C@microsoft.com...
>>> It states in the SMS 2003 Admin. Companion book, "Be sure that whatever
>>> client installation account you're using---the SMS Service account or 
>>> your
>>> own designated SMS Client Push Installation account--has local admin. 
>>> rights
>>> on the client."
>>>
>>> I am starting to deploy to the clients using the Advanced Client.
>>>
>>> I have some questions on how to setup the security in various areas of 
>>> SMS:
>>>
>>> 1.  Which System Service is the "SMS Service" account--is it the
>>> SMS_EXECUTIVE service or other?
>>> 2.   Should this System Service be changed from Local System to domain
>>> administrator in order to be able to succesfully push out the clients 
>>> using
>>> the Client Push Install Wizard?
>>> 3.  In Client Push Install Methods-->Client Push Installation, what type 
>>> of
>>> account needs to be listed--a Domain Admins group user (insecure), 
>>> regular
>>> user account, other?
>>> 4.  In Component Configuration-->Software Configuration-->Software
>>> Distribution, what type of account needs to be listed for Advanced 
>>> Client
>>> Network Access Account?
>>>
>>> Do all of these accounts need to have some sort of local admin. access 
>>> or
>>> domain admin. access or can some of them be regular user accounts?  I 
>>> want to
>>> configure SMS to be secure but hopefully without having to goto each PC 
>>> to
>>> add a newly created domain admin. user directly to each PCs' Local 
>>> Admin's
>>> group.
>>>
>>> Thanks
>>> Richard
>>
>>
>
>

Relevant Pages

  • join xp to 2k domain, trust of domain controler failed
    ... When you origionally joined your XP client to the W2K ... >the 2k is domain controller with active dir and dns. ... >I am using the local adm account of xp to logon the xp. ... >the domain user was successfully authenticated by domain ...
    (microsoft.public.windowsxp.security_admin)
  • RE: SBS 2K3 R2 and Outlook
    ... I understand that the new SBS domain user ... account create a new user profile on client computer. ... transfer the local user profile to domain user profile. ...
    (microsoft.public.windows.server.sbs)
  • Re: Administrator--Client installation account problem
    ... I have most of the services attached with the Domain Admin account, ... You do not have to be in advanced security to push the client. ... > account needs to be a local admin on the client machines.) ...
    (microsoft.public.sms.admin)
  • Re: It must be simple, but...
    ... > (on the client) to a new Domain account, or do I have to set everything up ... using the DOMAIN user accounts ONLY. ... >> Gregg Hill ...
    (microsoft.public.windows.server.sbs)
  • Re: Finding a Hacker
    ... definitely had the capability to obtain the domain admin credentials and may ... If the hacker did get in remotely using an administrator account on the ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)