Does anyone know what is the least privileged Active Directory security group needed for the MS-SCCM 2012 service account to do software updates via Configuration Manager? ConfigMgr runs fine with the account being in Domain Admins, but I’d like to give it less permission. I’ve heard that it could be made a local admin on every target device through group policy, but I’m hoping that there’s a better solution. Digging through TechNet has not yielded surprisingly little.
Thanks
Permissions for SCCM Service Account
active-directorysccm-2012
Best Answer
My knowledge on the particulars of SCCM 2012 are somewhat limited. But installing software updates on Windows is pretty straightforward. You need an account with local administrator or SYSTEM level permissions to affect system-wide changes like a software update. So yes, at the very least your service account should be added to the local administrators group on each client device. How you accomplish that is kind of up to you, but the easiest probably is group policy.