Site Address Account SCCM 2007

Hi Team,

We have a service account for our SCCM infra that is used for client push and same is configured as Site address account, and in client Agent, also for the software update point account.

Due to security concerns password for that service account will now be managed by CyberArk, that means will be changed everyday.

Can you please help me to get a feasible solution for this.. Any help would be appreciated.

June 21st, 2013 7:44pm

Ouch, no way around this other than entering it in manually.

Free Windows Admin Tool Kit Click here and download it now
June 21st, 2013 8:13pm

Any best way to achieve this, when we have a security concerns and service account password has to be changed everyday?
June 21st, 2013 8:31pm

Best thing is to not use user accounts, use computer accounts.
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2013 9:43pm

Do you guys use Orchestrator by chance?  I bet that could handle something along these lines.
June 21st, 2013 10:41pm

As said no way around this other than to try to automate the password change using the SDK where it'll allow you, and to enter manually. For the LAN sender switch to computer account, and use a dedicated account for both the CIA and the SUP ... I've not seen this kind of password rotation policy before.
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2013 10:27am

Thanks Rob,

You mean, for Address, we should use Computer account, and for Software Update Point Component properties we need to have an account which should have a static password, and same applies for Computer Client Agent? can this be cleared and system pick the default computer account?

How about the Network access account for client Push Installation does that need to be with static password or computer account will work for client push as well?

July 1st, 2013 6:12pm

the only user account I use anywhere in CM is the network access account. Computer accounts can be used for everything else.


Free Windows Admin Tool Kit Click here and download it now
July 1st, 2013 6:28pm

And I believe that is hard coded with a static password when we set a NAA, how to deal with the scenario where password is managed by some other tool and that generates Random password every 24 hours?
July 1st, 2013 6:35pm

You are going to have to get your security team to grant an exclusion on the password policy for the NAA. There's simply no way possible you can change that each 24 hours. Of course you only need the NAA if you are doing OSD, otherwise you don't need any passwords that I can think of. Maybe for SQL though.


Free Windows Admin Tool Kit Click here and download it now
July 1st, 2013 6:46pm

Then I think we are Safe, we are not using OSD as of now.

for Client Push and for other site to site communication, software update configuration, computer client agent we can have a computer account. 

Thanks

July 1st, 2013 6:51pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics