About the Site System Installation Account
Updated: July 1, 2009
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
The Site System Installation Accounts are used by the Microsoft System Center Configuration Manager 2007 Site Component Manager service to install, reinstall, uninstall, and configure site systems. If you configure the site system to Allow only site system initiated data transfers from this site system, Configuration Manager 2007 also uses this account to pull data from the site system.
If you do not configure a Site System Installation Account for a site system, Configuration Manager 2007 tries to use the site server's computer account to install and configure that site system and retrieve data. If the site system is in a remote, untrusted forest, the site server computer account will not have access, and you will have to configure this account to use instead.
Each site system can have a different Site System Installation Account, but you can configure only one Site System Installation Account to manage all roles on that site system.
Required Rights and Permissions
Site System Installation Accounts must have Administrative rights on the site systems they will install and configure. Additionally, the Site System Installation Accounts must have Access this computer from the network in the security policy on the site systems they will install and configure.
You can create these accounts anywhere, provided they have the required rights and permissions on the site systems they will install and configure. This account is provided to support site systems that can be configured in a forest other than the site server, for example, a management point that is configured to support Internet-based clients or a System Health Validator point that belongs to an untrusted forest.
The following site systems are supported if they are installed in a forest different than the site server's forest.
Server locator point
PXE service point
Fallback status point
Distribution point, configured to support Internet-based clients
Management point, configured to support Internet-based clients
Software update point, configured to support Internet-based clients
For network access protection, if you must have a System Health Validator point in a remote forest because the Network Policy Server (NPS) is not in the same forest as the site server.
Account Password and Creation
The Site System Installation Accounts are created and maintained by the Configuration Manager 2007 administrator. If you change the password on the account, you must reconfigure the account in the Configuration Manager 2007 console to provide Configuration Manager 2007 with the current credentials.
Security Best Practices
If the site system is in the same forest as the site server, or in a domain trusted by the site server, either through a forest trust or an explicit trust, use the site server computer account to install and configure the site system. The site server computer account password is managed by the operating system and is less vulnerable to discovery and misuse.
If you have many domain controllers and these accounts will be used across domains, verify that the accounts have replicated before configuring the site system.
Creating local accounts on each site system to be managed is the most secure because it limits the damage that attackers can do if the account is compromised. However, creating domain accounts is easier to manage, so consider the trade-off between security and effective administration.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.