locked
Installing SCCM Client on Domain Controllers is certainly a potential risk that must be managed RRS feed

  • Question

  • Having the ConfigMgr client installed on DCs SCCM client service runs as a local system account is not a secure way to install sccm agent and this is certainly a potential risk that must be managed.

    Is there any better secure way to install SCCM client and managed on the Domain Controller 2008/2012r2 servers?

    Friday, October 3, 2014 10:30 AM

All replies

  • You might wanna consider using security scopes in SCCM and carefull collection limiting.

    With this you can limit the admins that can manage the DC's through SCCM

    Friday, October 3, 2014 10:35 AM
  • Thank your quick reply :)

    But is this the best practice to secure DC's?

    my concern is that, this sccm account running as local administrator or System account on the DC's servers:)

    Friday, October 3, 2014 10:45 AM
  • Yeah, the service runs on the system account, which can be a risk indeed.

    There's no alternative way to install the service, as far as I know.

    So what's the problems you'd expect?

    Like wrong software being installed by mistake, unexpected booting or more like exposure to malware and stuff like that??

    In my experience, the biggest risk with SCCM were the people who had access to the console (Imagine a team of 30+ ppl, and all had full admin access .... disastreous) :)

    Friday, October 3, 2014 11:00 AM
  • Hi

    I concur with WM Heeringa.

    The ConfigMgr Client runs as local system and that could be seen as a security risk when running the client on a Domain Controller. There is no way of running it as a normal user.

    In itself it is not dangerous installing the ConfigMgr Client on Domain Controllers but I never use Client Push when installing it on Domain Controller because I do not want a Client Push account with Domain Admin rights floating around. I always RDP in to my Domain Contollers and install the client manually.

    Then I create Collections for Domain Controllers and use RBAC to restrict access to that/those Collections through ConfigMgr.

    Friday, October 3, 2014 11:14 AM
  • Having the ConfigMgr client installed on DCs SCCM client service runs as a local system account is not a secure way to install sccm agent and this is certainly a potential risk that must be managed.

    Is there any better secure way to install SCCM client and managed on the Domain Controller 2008/2012r2 servers?


    Why do you day running as local system is not secure? With local system, no one logon remotely and as the server. The service can't be logon to interactively per say. So what exactly is the problem?

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Friday, October 3, 2014 11:18 AM
  • There is not a better way.

    The local system account cannot be used to logon or do anything interactively.

    However there are other risks of running scripts/deployment and other. You will need to manage your SCCM administrative rights to secure the management of the domain controllers.


    All the best, Jesper Hassing - MCTS SCCM 2012 - MCSA 2012 Server - MCP

    • Proposed as answer by Jesper Hassing Friday, October 3, 2014 11:53 AM
    Friday, October 3, 2014 11:53 AM
  • thats right but you can use command line with powershell or whatever
    Friday, October 3, 2014 11:54 AM
  • thats right but you can use command line with powershell or whatever

    Hun??? I don’t understand what you mean by this and how does it relate to CM12?

    Are you saying that a CM12 Admin can run a scrip on the DC, if they create a package and deploy it to the DC. Ok so what? Can’t the AD admin do the exact same thing with less hassle?  What exactly can the CM12 admin do that he can’t already do?

    Exactly what risk are you trying to solve?


    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Friday, October 3, 2014 12:18 PM