Minimizing the Number of Accounts SMS Uses

  • Article

Standard security requires and maintains more accounts than advanced security. Using advanced security and Advanced Clients are the easiest ways to minimize the number of accounts that SMS uses. However, if you cannot use them, there are other techniques that can be used to minimize the number of SMS accounts.

Note that in some cases, although minimizing the number of accounts makes it harder to tighten SMS security, doing so might be appropriate if you have to reduce administrative overhead and your security risk is minimal.

Important:

  • Reducing the number of accounts increases the security risk because if any of the remaining accounts are compromised, all the computers that they can be used on could be compromised.

Mandatory multiple instance accounts

SMS automatically creates the following accounts to accommodate the requirements of multiple sites or domain controllers.

  • Client Services (DC) Account (SMS&_dc)

    SMS creates one of these accounts for each domain controller in the domain, regardless of the number of sites within that domain.

  • Server Connection Account (SMSServer_sc)

    SMS setup creates one of these accounts for each site.

  • Remote Service Account (SMSSvc_sc_xxxx)

    SMS creates this account on each CAP that is defined, if the CAP is not on the site server to support the SMS Executive service. If a server is not the SMS site server, then SMS creates this account on a computer that is running SQL Server in order to support the SQL Monitor service.

  • Client Connection Account (SMSClient_sc)

    SMS Setup creates this account in the domain that SMS is installed in to support Legacy Client connections to a CAP. Although SMS creates one Client Connection Account for each site, the administrator can create as many additional accounts as required to address specific security issues.

  • CCM Boot Loader (DC) Account (SMS#_dc)

    When installing Legacy Clients with Client Push Installation, Client Configuration Manager (CCM) creates this domain account to run the CCM boot loader service on client computers that are domain controllers. This account is made unique by including the domain controller name in the account name. This account is automatically deleted after the client is set up.

Optional multiple instance accounts

An SMS administrator can choose to create the following accounts to provide additional security or stability. For some accounts, you might want to create multiple instances.

  • SMS Service Account

    Either the administrator or SMS Setup can create this account. Only one SMS Service Account can be used in each site, but multiple SMS Service Accounts can be created and used if multiple sites exist. If the sites share a domain, then that domain includes all these accounts.

  • Client Connection Account (SMSClient_sc)

    Setup creates this domain account. Although SMS creates one Client Connection Account for each site; the administrator can create as many additional accounts as required to address specific security issues.

  • Site Address Account

    The administrator creates this account to allow SMS sites to communicate with each other. The number of accounts created is determined by the administrator - there might be only one account used for this purpose throughout the organization, or there could be one for every SMS address.

  • Site System Connection Account

    One account can be shared among multiple sites, or the administrator can create one account for each site.

  • Client Push Installation Account

    Accounts can be shared among multiple sites, or the administrator can create accounts specific to each site or domain.

Mandatory local multiple instance accounts

There are accounts that are unique to each SAM database. Because you have multiple SAM databases (one for all domain controllers in each domain and one for each member server or workstation), you have multiple copies of these accounts. The accounts that fall in this category are:

  • Client User Token (Non-DC) (SMSCliToknLocalAcct&).

  • Client Services (Non-DC).

  • CCM Boot Loader (Non-DC) (SMSCCMBootAcct&) - this is a temporary account.

The multiple instances of these accounts should not cause any problems because they are in separate databases. However, it might help you, when you are troubleshooting, to remember that each instance of these accounts is unique.

Strategies for reducing the number of multiple accounts

You can reduce the number of multiple accounts by using any of the following strategies:

  • Minimize the use of optional accounts.

  • Use setup options to force the use of common SMS Server Connection Accounts and SMS Client Connection Accounts with a known password. For more information, see the "Site Setup" section in Chapter 5, "Understanding SMS Security."

  • Resolve problems that prevent temporary accounts from being deleted. This especially applies to the CCM Boot Loader (DC) Account.

  • Minimize the number of SMS sites in each domain. This action does not actually reduce the number of accounts, but it does reduce the number of accounts that occur in any single domain. This solution might be especially appropriate if you have resource domains.

For More Information

Did you find this information useful? Please send your suggestions and comments about the documentation to smsdocs@microsoft.com.