Install SCCM Agent without Domain Admin rights

    General discussion

  • Hello,

    Can the SCCM agent be push installed to remote clients by using the DP server's computer$ account, rather than having a dedicated domain user account that is a member of the Domain Admin group (which is a major security risk)?

    If so, a reference MS URL would be handy.




    Friday, October 21, 2011 7:56 AM

All replies

  • You don't need provide domain admin rights to client push. Also, computer$ (SMS server's) account for the install as first preference.

    Anoop C Nair - Twitter @anoopmannur

    MY BLOG:

    SCCM Professionals

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, October 21, 2011 8:23 AM
  • Hi,

    "Configuration Manager 2007 will try to use the site system computer account. This account must have local administrator rights on every client to be installed"

    For more information:


    -- My System Center blog -- Twitter @ccmexec
    Friday, October 21, 2011 8:43 AM
  • To go a little more in-despth explaning the correct answers provided above... SCCM will always first try to use the account specifed as the client installtion account. This account would need to have local admin rights on all computers. It is not ever recomended to add that account to domain admins, that's overkill and a security risk. Alternatively and preferably to using a client install account if no account is specified or if the client install account fails to connect the SCCM server machine account is used. I find it best to place all of my SCCM servers into an AD group, add that AD group to local admins using a GPO and do not specify a client install account.


    John Marcum ||
    Friday, October 21, 2011 12:30 PM
  • Thank you all you your excellent responses  :-)

    The following link reiterates what you all have said:


    Saturday, October 22, 2011 1:16 AM