All things SMS, System Center Configuration Manager, Active Directory, Group Policy, Virtualization, Security, Gadgets, Technology, and the Daily Thoughts of an SMS Engineer named Anthony Clendenen.

The Daily Ramblings of an SMS Engineer

SCCM 2007 - Client Push Installation Account

March 09, 2007

In SMS 2003 you had to specify an account with local admin privileges on the computers you were targeting for the client push.  Typically this was an account that was in the Domain Admins group, even though it was not recommended.  But because of local Administrator password problems, users with local admin rights and so on using anything less often netted very little success.

New in SCCM is the ability to use the computer$ account for the install.  This means that you can now use the SMS server's computer account to do the install.  The best, and most secure way of doing this is to create a new global group, add the computer account, and then through group policy add that group to the local administrator group on the targeted clients.  The KB article 320065 has details on how to accomplish this, in the past if you added an account to the local administrators group on domain computers it would overwrite, not append so make sure you test this process first.

 

How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations

This article was previously published under Q320065

SUMMARY

This article describes how to create a global group so that it is a member of the local administrators group on all workstations and member servers by using group policy restricted groups.

MORE INFORMATION

It may be useful to allow certain users to automatically become local administrators on your Windows 2000-based workstations or member servers. To allow that type of access to a controlled set of users and computers by using a group policy:

1. Start Active Directory Users and Computers from any domain controller.

2. Create an organizational unit, and then move all of the appropriate workstations and member servers to that organizational unit.

3. Create a global group in that organizational unit, and then add the appropriate users to that group.
IMPORTANT: Complete the remaining steps from a Windows 2000-based member server or a Windows 2000 Professional-based workstation with the Adminpak installed.

4. Start Active Directory Users and Computers, right-click the organizational unit, and then click Properties.

5. Click the Group Policy tab, click NEW, and then name the policy.

6. Click the policy, and then click Edit.

7. Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.

8. Click Browse. Focused on the local computer, click the group to which you want your global group to be a member (in this case, the "Administrators" group), click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window.

9. Right-click the group, and then click Security.

10. To the right side of the Members of this Group box, click ADD, and then click Browse.

11. Locate the group in the organizational unit that you want to place in the administrators group, and then add it the group. After you do so, close the group policy.

12. At a command prompt, type secedit /refreshpolicy machine_policy /enforce, and then press ENTER.

NOTE: From any of the workstations or member servers in that organizational unit, you can view the local groups and see that the global group is a member of the administrators local group.

 

Regards,

Anthony

Anthony Clendenen | Senior Technical Consultant | Microsoft Practices | Dimension Data

Dimension Data is Microsoft’s 2006 Global Advanced Infrastructure Technology Innovation

Partner of the Year… for the Dynamic Desktop Deployment Solution


Support your community. Donate to myITforum

Technorati Tags: - - - - -

Filed under: , , ,

Comments

  • No Comments

Recent Posts

News


Send me an email

View Anthony Clendenen's profile on LinkedIn


I Recommend These Books !

Ron Crumbaker's Book
SMS 2003 Administrator's Reference: Systems Management Server 2003

Andy Dominey's MOM Book
MOM 2005 Field Guide

Greg Ramsey and Warren Byle's Book
SMS 2003 Recipes: A Problem-Solution Approach

Rod Trent's Book
Microsoft SMS Installer (Book/CD-ROM package)

Pro SMS 2003

Professional MOM 2005, SMS 2003, and WSUS

Start to Finish Guide to Distributing Software With Systems Management Server 2003

Microsoft Systems Management Server 2003 Administrator's Companion

Support your community. Donate to myITforum

Add to Technorati Favorites MSN Alerts

Subscribe in NewsGator Online
Google Reader or Homepage
Add to My Yahoo!
Subscribe with Bloglines

Add to My AOL
Add to Technorati Favorites!

Add to Plusmo
Add to flurry
Subscribe in Bloglines
Subscribe in FeedLounge
 Subscribe in a reader
Uniquie Visitors
web statistics
All information is provided "as-is" no warranty is expressed or implied. The information, comments, images, and opinions expressed here are not those of my current or former employers and neither I nor they can be held liable for any content here. Some rights reserved.


Locations of visitors to this page

SMS

Scripting

Other

System Center Configuration Manager 2007

Great Blogs

Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.
Valid CSS & XHTML
Skin adapted from Arcsin by Kyle Beyer