What rights do the computer accounts of the SCCM Servers need in SCCM?

Andreas Meyer zu Driehausen 1 Reputation point
2022-06-02T15:38:08.797+00:00

Hello,
I am NOT asking here about service accounts in SCCM.

A few days ago SCCM started to uninstall stuff until we added the computer accounts of other SCCM servers (MPs, Endpoint Protection Servers, etc.) to the local administrators group on the SiteServers.

I found a lot of documentation about service accounts. But none that would tell me straight forward what rights the computer accounts of SCCM servers need.
Just now we added a new Endpoint Protection Server. The installation was fine.
Afterwards it obviously lacked rights in order to start operating properly. It warned that the other side would be in pull mode instead in push mode. Could not transfer into the inboxes, could not write into the registry, etc. Although the installation of the sccm roles was done from within the productive environment of SCCM.
Of course, on the EPP server itself, the necessary components were installed too.

It only seemed to start working after we added the computer account of the endpoint protection server to the local administrators group of the siteservers.
Where is this documented exactly? Nowhere I found a mention that the computer account of an Endpoint Protection Server would need admin rights in the local administrators group on the site servers.

The computer accounts of the siteservers seemingly also need to be in the local administrators group on each site server?
Where is this documented? Or why is that necessary?
So many rights are given for so many purposes in the overall setup of SCCM.
Why do the computer accounts need flat admin rights?

It feels strange: If that is necessary why doesn't it pop up in all that documentation?
Thank you for twofold hints - once for the computer accounts of the site servers and also for the computer accounts of the EPP server and other SCCM servers it those also need local admin rights.
Thank you.
Andreas

P.S. Why isn't there a tag for SCCM?

Microsoft Security | Intune | Configuration Manager | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Garth 5,801 Reputation points
    2022-06-03T02:35:28.283+00:00

    Exactly what service accounts are you talking about? Cm for the most part only use the computer account. Yes there are "access accounts" but they are "not service" accounts. For example the Ssrs report account.

    the permission need are listed with the doc. https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/site-and-site-system-prerequisites

    As a general rule, cm site server requires full admins right to all of it's component servers. Aka, dp, Sql, wsus, Ssrs, etc. This is how it installs/upgrade components as it upgrades, does backups, integrate checks, etc.

    1 person found this answer helpful.
    0 comments No comments

  2. Andreas Meyer zu Driehausen 1 Reputation point
    2022-06-22T08:47:31.24+00:00

    Hi,
    Thank you for answering.
    However, I read extensively in the Microsoft Documentation before posting here.
    Under the link that you posted is nowhere mentioned that the COMPUTER ACCOUNT(s) need/s local admin rights on so many SCCM servers.
    The EPP (endpoint protection server) also needs local admin rights for his computer account on the site servers. That's what started the trouble.
    So if anybody runs into strange problems with authorization as depicted in my original post above, you might well consider to give the computer accounts of your sccm-servers local admin rights on the other sccm-servers.
    I still find it strange, that this is nowhere to be found in the documentation - neither in your link above.

    This seems to be one of those bits of knowledge that insiders just know and the rest is not being told.
    Perhaps this procedure is a little distressing to MS so they don't like to talk much about it.
    But administrators do need to know. At least now it can be found in this thread.
    Sincerely
    Andreas

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.