Common Core Services Installation Guide. Provides information about the details of Common Core Service Installation. Patchset Installation Guide. Provides information about the approach for Multi-Entity Deployment. Containerization Guide. SSL Setup Guide. For more information, see Prepare Active Directory for site publishing. For more information, see Active Directory forest discovery. The certificate registration point uses the Certificate registration point account to connect to the Configuration Manager database.
It uses its computer account by default, but you can configure a user account instead. When the certificate registration point is in an untrusted domain from the site server, you must specify a user account.
This account requires only Read access to the site database, because the state message system handles write tasks. For more information, see Introduction to certificate profiles. When you capture an OS image, Configuration Manager uses the Capture OS image account to access the folder where you store captured images. If you add the Capture OS Image step to a task sequence, this account is required.
The account must have Read and Write permissions on the network share where you store captured images. If you change the password for the account in Windows, update the task sequence with the new password. The Configuration Manager client receives the new password when it next downloads the client policy. If you need to use this account, create one domain user account. Grant it minimal permissions to access the required network resources, and use it for all capture task sequences.
For more information, see Create a task sequence to capture an OS. When you deploy clients by using the client push installation method, the site uses the Client push installation account to connect to computers and install the Configuration Manager client software. If you don't specify this account, the site server tries to use its computer account.
This account must be a member of the local Administrators group on the target client computers. This account doesn't require Domain Admin rights. You can specify more than one client push installation account. Configuration Manager tries each one in turn until one succeeds.
If you have a large Active Directory environment and need to change this account, use the following process to more effectively coordinate this account update:.
Use domain or local group policy to assign the Windows user right to Deny log on locally. As a member of the Administrators group, this account will have the right to sign in locally, which isn't needed. For better security, explicitly deny the right for this account. The deny right supersedes the allow right. For more information, see Client push installation. The enrollment point uses the Enrollment point connection account to connect to the Configuration Manager site database.
When the enrollment point is in an untrusted domain from the site server, you must specify a user account. This account requires Read and Write access to the site database. For more information, see Install site system roles for on-premises MDM. The site server uses the Exchange Server connection account to connect to the specified Exchange Server. It uses this connection to find and manage mobile devices that connect to Exchange Server.
This account requires Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. For more information about the cmdlets, see Install and configure the Exchange connector. The management point uses the Management point connection account to connect to the Configuration Manager site database. It uses this connection to send and retrieve information for clients.
The management point uses its computer account by default, but you can configure a user account instead. When the management point is in an untrusted domain from the site server, you must specify a user account. Multicast-enabled distribution points use the Multicast connection account to read information from the site database. The server uses its computer account by default, but you can configure a user account instead. When the site database is in an untrusted forest, you must specify a user account.
For example, if your data center has a perimeter network in a forest other than the site server and site database, use this account to read the multicast information from the site database. If you need this account, create it as a low-right local account on the computer that runs Microsoft SQL Server. For more information, see Use multicast to deploy Windows over the network. Client computers use the network access account when they can't use their local computer account to access content on distribution points.
It mostly applies to workgroup clients and computers from untrusted domains. This account is also used during OS deployment, when the computer that's installing the OS doesn't yet have a computer account on the domain.
The network access account is never used as the security context to run programs, install software updates, or run task sequences.
It's used only for accessing resources on the network. A Configuration Manager client first tries to use its computer account to download the content. If it fails, it then automatically tries the network access account. For more information, see Client to management point communication. If you enable Enhanced HTTP to not require the network access account, the distribution point needs to be running Windows Server or later.
Grant this account the minimum appropriate permissions on the content that the client requires to access the software. The account must have the Access this computer from the network right on the distribution point. You can configure up to 10 network access accounts per site. Create the account in any domain that provides the necessary access to resources. The network access account must always include a domain name.
Pass-through security isn't supported for this account. If you have distribution points in multiple domains, create the account in a trusted domain. To avoid account lockouts, don't change the password on an existing network access account. Instead, create a new account and set up the new account in Configuration Manager. When sufficient time has passed for all clients to have received the new account details, remove the old account from the network shared folders and delete the account.
Don't grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task sequence domain join account. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration , and select the Sites node. Then select the site. Choose the Network access account tab. Set up one or more accounts, and then choose OK.
Task sequence deployment option to Access content directly from a distribution point when needed by the running task sequence. For more information, see Task sequence deployment options. Request State Store task sequence step. If the task sequence can't communicate with the state migration point using the device's computer account, it falls back to use the network access account. For more information, see Request State Store.
Apply OS Image task sequence step option to Access content directly from the distribution point. This option is primarily for Windows Embedded scenarios with low disk space where caching content to the local disk is costly. For more information, see Access content directly from the distribution point. Task Sequence properties setting to Run another program first.
This setting runs a package and program from a network share before the task sequence starts. For more information, see Manage task sequences to automate tasks: Advanced settings. Managing clients in untrusted domains and cross-forest scenarios allow multiple network access accounts.
A Package access account lets you set NTFS permissions to specify the users and user groups that can access package content on distribution points. By default, Configuration Manager grants access only to the generic access accounts User and Administrator. You can control access for client computers by using other Windows accounts or groups. Mobile devices always retrieve package content anonymously, so they don't use a package access account.
By default, when Configuration Manager copies the content files to a distribution point, it grants Read access to the local Users group, and Full Control to the local Administrators group. The actual permissions required depend on the package.
If you have clients in workgroups or in untrusted forests, those clients use the network access account to access the package content. Make sure that the network access account has permissions to the package by using the defined package access accounts.
Use accounts in a domain that can access the distribution points. If you create or modify the account after you create the package, you must redistribute the package. Updating the package doesn't change the NTFS permissions on the package. You don't have to add the network access account as a package access account, because membership of the Users group adds it automatically. Restricting the package access account to only the network access account doesn't prevent clients from accessing the package.
In the Software Library workspace, determine the type of content for which you want to manage access accounts, and follow the steps provided:. Application : Expand Application Management , choose Applications , and then select the application for which to manage access accounts. Package : Expand Application Management , choose Packages , and then select the package for which to manage access accounts. Software update deployment package : Expand Software Updates , choose Deployment Packages , and then select the deployment package for which to manage access accounts.
Driver package : Expand Operating Systems , choose Driver Packages , and then select the driver package for which to manage access accounts. OS image : Expand Operating Systems , choose Operating System Images , and then select the operating system image for which to manage access accounts. OS upgrade package : Expand Operating Systems , choose Operating system upgrade packages , and then select the OS upgrade package for which to manage access accounts.
As we have discussed earlier: a standalone Managed Service Account sMSA is a managed domain account that provides automatic password management, simplified service principal name SPN management, and the ability to delegate it to other administrators.
The group Managed Service Account gMSA provides the same functionality within the domain but also extends that functionality over multiple servers. This is all intended for test purposes, therefore please follow these steps on a test machine e. To do so, please open PowerShell on your Windows Server machine and type the following:. The domain controllers will wait up to 10 hours from the time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA.
Since this is only meant for test purposes, we will skip the 10 hours part of the KdsRootKey generation. To do so, we can use the following:. Now, we are pretty much ready to go. To create a new Managed Service Account, we can proceed as it follows:.
0コメント