none
Can you change the "System Installation Account" from the Site Server Computer Account to a Service Account after the DP is configured? RRS feed

  • Question

  • When the distribution points were configured, we used the Site Server Computer Account.  

    Now we would like to change to a service account and remove the site server computer account from the local administrators group (and add the the service account).

    Can someone provide some guidance on if this is possible, and what steps should be taken to accomplish?

    Thanks

    Thursday, January 9, 2014 5:39 PM

Answers

  • Sure, just modify the properties of the "Site System" role in the console (in the Administration workspace under Site Configuration -> Server and Site System Roles).

    Why would you do this though? It's less secure and adds an administrative burden.


    Jason | http://blog.configmgrftw.com

    Thursday, January 9, 2014 6:14 PM
    Moderator

All replies

  • Sure, just modify the properties of the "Site System" role in the console (in the Administration workspace under Site Configuration -> Server and Site System Roles).

    Why would you do this though? It's less secure and adds an administrative burden.


    Jason | http://blog.configmgrftw.com

    Thursday, January 9, 2014 6:14 PM
    Moderator
  • I know this is an old thread but I wanted to see if someone knew the answer. We also used the computer account when installing SCCM but we have two untrusted domains that we would like to manage. One of the work arounds is to create a local account that has the same name as the Site System Installation Account that is configured for the remote site server. If you used the computer account I don't think this is possible. Can someone shed some light on this topic?

    https://support.microsoft.com/en-us/help/2689646/system-center-2012-configuration-manager-incorrectly-uses-the-site-sys


    Pat

    Wednesday, July 3, 2019 1:16 PM
  • Shed some light on what exactly? Creating a shadow computer account in an alternate domain? Sure, you can create the account but good luck mirroring the password since that's not accessible or even stored anywhere.

    For your untrusted domains, if you want to use client push to deploy the client agent, then you'll need to configure additional accounts that have local admin permissions on the systems in those forests/domains. There's no way around this directly. However, why not use an alternate method of installing the client agent like a startup script that avoids client push altogether?

    The KB you linked to has nothing to do with client push, that's for site system installation and communication and you don't need site systems in untrusted domains (unless you want to target users with package or application deployments).

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, July 3, 2019 1:43 PM
    Moderator
  • Jason,

    Thank you for responding. I did not realize I posted in the client deployment section. We have one server on our untrusted domain that has the component server, DP, MP, Site System and SUP installed. Reviewing the MPControl log on our server we receive the following error: [28000][18452][Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication

    The article I posted was a work around for this error. Currently, when I try to make a connection to our Database server which is on the other untrusted domain it fails to connect. I've worked with the network group to make sure the appropriate firewall ports have been opened but at this point I think it has to do with account permissions. When I look at the site system role on our SCCM application server I see that the Site System Installation Account is use the Site server's computer account and not a local or service account. I was thinking if we used a service account then we could create a local account on the other untrusted domain. To be honest it's kind of confusing to me on what has to be done.


    Pat


    • Edited by Pgrantland Wednesday, July 3, 2019 2:13 PM Added more information
    Wednesday, July 3, 2019 2:05 PM
  • Sorry, you posted in the right place, I have no idea why or how I read client push in your answer or this thread though.

    For your question above, you would create an account in the domain where the site system exists and then specify that account as the site system installation account. Since the activity is occurring on a system in that domain, you need an account from that domain. There's no reason to create a shadow account here.

    Also note that ConfigMgr does not use any service accounts.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, July 3, 2019 3:48 PM
    Moderator