Public sector systems admin, specializing in device management, mobility and deployment.
My Endpoint Manager List on Twitter
SCCM Client Push: What It Means to Use the Site’s Computer Account, and Why You Might Use It
To use a Service Account or Not? That is the question.
When setting up Client Push in Configuration Manager, the Admin Console will note that the account must be a local Administrator on the target machine:
What happens when one isn’t specified, though?
According to Microsoft’s SCCM Accounts Used page, it’s the server’s machine account:
When you deploy clients by using the client push installation method, the site uses the Client push installation account to connect to computers and install the Configuration Manager client software. If you don’t specify this account, the site server tries to use its computer account.
Adding the machine account is as simple as adding the ConfigMgr site server’s computer into the local Administrators group using a Group Policy.
The machine account’s defined name is NT AUTHORITY\SYSTEM.
It’s worth considering using no service account in ConfigMgr for client push, and instead using the site’s computer account.
It might wind up being both more secure and easier to manage.
Microsoft has a page explaining the security benefits of using computer accounts.
The Machine Account Doesn’t Require Password Changes
The password on a domain user account eventually has to get changed.
However, computer accounts are part of Active Directory, so passwords get changed automatically.
A User Can’t Login Using The Machine Account
The machine account’s password is over 140 characters long. However, if someone does gain access to it, the machine account doesn’t allow you to logon to a client, and can’t be used on the client unless you already have Admin access to the machine.