Account Name

AD Group Discovery Account

U s The AD Group Discovery Account is used to discover local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups are not discovered as The AD System Discovery Account is used to discover computers from the specified locations in Active Directory Domain Services. The AD !ser Discovery Account is used to discover user accounts from the specified locations in Active Directory Domain Services. The AD "orest Account is used to discovery networ# infrastructure from Active Directory forests, and is also used by central administration sites and primary sites to publish site data to the Active Directory Domain Services of a forest. The A%T &rovisioning and Discovery Account is functionally e'uivalent to the A%T emote Admin Account and resides in the %anagement (ngine )I*S e+tension ,%()+- of Intel A%T.based computers. This account is used by the server that runs the out of band service point role to manage some networ# interface features of A%T, by using the out of band

Permi ssion

This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have ead access permission to the Active Directory locations that are specified for discovery. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have ead access permission to the Active Directory locations that are specified for discovery. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have ead access permission to the Active Directory locations that are specified for discovery. This account must have ead permissions to each Active Directory forest where you want to discover networ# infrastructure. This account must have Full Control permissions to the System Management container and all its child ob$ects in each Active Directory forest where you want

AD System Discovery Account

AD !ser Discovery Account

AD "orest Account

A%T &rovisioning and Discovery Account

A%T &rovisioning emoval Account

The A%T &rovisioning emoval Account can remove A%T provisioning information if you have to recover the site. /ou might also be able to use it when a 0onfiguration %anager client was reassigned and the A%T provisioning information was not removed from the computer in the old site. The A%T emote Admin Account is the account in the %anagement (ngine )I*S e+tension ,%()+- of Intel A%T.based computers that is used by the server running the out of band service point role to manage some networ# interface features of A%T in 0onfiguration %anager, by using the out of band

The account is stored in the %anagement (ngine )I*S e+tensions of the A%T. based computer and does not correspond to any account in Windows. To successfully remove the A%T provisioning information by using the A%T &rovisioning emoval Account, all the following must be true1 The A%T &rovisioning emoval Account is configured in the out of band management component properties.The account that is configured for the A%T &rovisioning emoval Account was configured as an A%T !ser Account in the out of band management component properties when the A%T.based computer was provisioned or updated. The account that is configured for the A%T &rovisioning emoval Account must be a member of the local Administrators group on the out of band service point computer.The A%T auditing log is not enabled. )ecause this is a Windows user account, specify an 0onfiguration %anager automatically sets the remote admin account password for computers that it provisions for A%T, and this is then used for subse'uent authenticated access to the A%T firmware. This account is functionally e'uivalent to the 0onfiguration %anager A%T &rovisioning andcreates Discovery The configuration of the A%T !ser Accounts the Account. e'uivalent of an access control list ,A02- in the A%T firmware. When the logged on user attempts to run the *ut of )and %anagement console, A%T uses 3erberos to authenticate the account and then authori4es or denies access to run the A%T management functions. Specify an account that has the least possible permissions for the re'uired pro+y server or firewall.

A%T emote Admin Account

A%T !ser Account

AI Synchroni4ation &oint &ro+y Server Account

A%T !ser Accounts control which Windows users or groups can run management functions in the *ut of )and %anagement console. The Asset Intelligence Synchroni4ation &oint &ro+y Server Account is used by the Asset Intelligence synchroni4ation point to access the Internet via a pro+y server or firewall that re'uires authenticated access.

0apture *perating System Image Account

The 0apture *perating System Image Account is used by 0onfiguration %anager to access the folder where captured images are stored when you deploy operating systems. This account is re'uired if you add the step 0apture *perating System Image to a tas# se'uence. The 0lient &ush Installation Account is used to connect to computers and install the 0onfiguration %anager client software if you deploy clients by using client push installation. If this account is not specified, the site account is0onnection used to try Account to installconnects the client The server (nrollment &oint the enrollment point to the 0onfiguration %anager site database. )y default, the computer account of the enrollment point is used, but you can configure a user account instead. /ou must specify a user account whenever the enrollment point is in an untrusted domain from 0onnection the site server. The (+change Server Account connects the site server to the specified (+change Server computer to find and manage mobile devices that connect to (+change The (+change Server Server. 0onnector &ro+y Server Account is used by the (+change Server connector to access the Internet via a pro+y server or firewall that re'uires authenticated access. "or 0onfiguration %anager with no service pac#1 The (ndpoint &rotection S%T& Server 0onnection Account is used by the site server to send email alerts for (ndpoint &rotection when the S%T& server re'uires authenticated access.

The account must have ead and Write permissions on the networ# share where the captured image is stored. If the password the account is changed in Windows, you must update the tas# se'uence with the new password. The 0onfiguration %anager client will receive the new password when it ne+t downloads client policy. If you use this account, you can create one domain user account with minimal permissions to access the re'uired networ# resources and use it for all tas# se'uence accounts.Do not assign this account interactive logon This account must be a member of the local Administrators group on the computers where the 0onfiguration %anager client software is to be installed. This account does not re'uire Domain Admin rights.Do not grant this account the right to log on locally.

0lient &ush Installation Account

(nrollment &oint 0onnection Account

(+change Server 0onnection Account

(+change Server 0onnector &ro+y Server Account

This account re'uires ead and Write access to the site database. This account re'uires (+change &owerShell cmdlets that provide the re'uired permissions to the (+change Server computer. Specify an account that has the least possible permissions for the re'uired pro+y server or firewall.

(ndpoint &rotection S%T& Server 0onnection Account

Specify an account that has the least possible permissions to send emails.

%ore Details www.Anoop05air.com

6ealth State eference &ublishing Account

The 6ealth State eference &ublishing Account is used to publish the 5etwor# Access &rotection ,5A&- health state reference for 0onfiguration %anager to Active Directory Domain Services. If you do not configure an account, 0onfiguration %anager attempts to use the site account to publish the health The server 6ealth computer State eference 7uerying Account is used to retrieve the 5etwor# Access &rotection ,5A&health state reference for 0onfiguration %anager from Active Directory Domain Services. If you do not configure an account, 0onfiguration %anager attempts to use the site server computer account to retrieve the health state references. The %anagement &oint Database 0onnection Account is used to connect the management point to the 0onfiguration %anager site database so that it can send and retrieve information for clients. )y default, the computer account of the management point is used, but you can configure a user account instead. /ou must specify a user account whenever the management point is in an untrusted domain from The %()+ Account is the account in the %anagement (ngine )I*S e+tension ,%()+- on Intel A%T.based computers and it is used for initial authenticated access to the A%T firmware on A%T. based computers. The %ulticast 0onnection Account is used by distribution points that are configured for multicast to read information from the site database. )y default, the computer account of the distribution point is used, but you can configure a user account instead. /ou must specify a user account whenever the site database is in an untrusted forest. "or e+ample, if your data center has a perimeter networ# in a forest other than the site server and site

This account re'uires ead, Write and 0reate permissions to the Active Directory forest that stores the health state reference. 0reate the account in the forest that is designated to store the health state references. Assign the least possible permissions to this account and do not use the same account that is specified for the 6ealth State eference 7uerying Account, which re'uires only ead permissions. This account re'uires ead permissions to the 0onfiguration %anager Systems %anagement container in the Global 0atalog. 0reate the account in the forest that is designated to store the health state references. Do not use the same account for the 6ealth State eference &ublishing Account, which re'uires more privileges.Do not grant this account

6ealth State eference 7uerying Account

%anagement &oint Database 0onnection Account

0reate the account as a low.rights, local account on the computer that runs %icrosoft S72 Server.Do not grant this account interactive The account is stored in the %anagement (ngine )I*S e+tensions of the A%T. based computer. This account does not correspond to any account in Windows.If the default %()+ password has not been changed before 0onfiguration %anager provisions the computer for A%T, during the A%T provisioning process, 0onfiguration %anager sets the password that you

%()+ Account

%ulticast 0onnection Account

If you create this account, create it as a low.rights, local account on the computer that runs %icrosoft S72 Server.Do not grant this account interactive logon rights.

5etwor# Access Account

The 5etwor# Access Account is used by client computers when they cannot use their local computer account to access content on distribution points. "or e+ample, this applies to wor#group clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer

Grant this account the minimum appropriate permissions on the content that the client re'uires to access the software. The account must have the Access this computer from the networ# right on the distribution point or other server that holds the pac#age content. )ecause you can create only one 5etwor# Access Account per site, this account must function for all pac#ages and tas# se'uences for which it is re'uired. Do not grant this account interactive logon rights. Do not grant this account the right to join computers to the domain. I you must join computers to the domain during a tas!

&ac#age Access Account

eporting Services &oint Account

emote Tools &ermitted 8iewer Accounts

&ac#age Access Accounts enable you to set 5T"S permissions to specify the users and user groups that can access a pac#age folder on distribution points. )y default, 0onfiguration %anager grants access only to the generic access accounts !sers and Administrators, but you can control access for client computers by using additional Windows accounts or groups. %obile devices always retrieve pac#age content anonymously, so the &ac#age Access Accounts are not The eporting Services &oint Account is used by S72 Server eporting Services to retrieve the data for 0onfiguration %anager reports from the site database. The accounts that you specify as &ermitted 8iewers for remote control are a list of users who are allowed to use remote tools functionality on clients. The Site System Installation Account is used by the site server to install, reinstall, uninstall, and configure site systems. If you configure the site system to re'uire the site server to initiate connections to this site system, 0onfiguration %anager also uses this account to pull data from the site system computer after the site system and any site system roles are installed. (ach site system can have a different Site System Installation Account, but you can configure only one Site System Installation Account to manage "or 0onfiguration %anager S&9 only1 The S%T& Server 0onnection Account is used by the site server to send email alerts when the S%T& server re'uires authenticated access. The Software !pdate &oint 0onnection Account is used by the site server for the following two software updates services1 WS!S 0onfiguration %anager, which configures settings such as product definitions, classifications, and upstream settings. WS!S Synchroni4ation %anager, which re'uests synchroni4ation to an upstream WS!S server or %icrosoft !pdate. The Site System Installation Account can install components for software updates, but cannot perform software updates.specific functions on the software update point. If you cannot use the site server computer account for this functionality because the software update point is in

When 0onfiguration %anager creates the pac#age share on a distribution point, it grants ead access to the local !sers group and "ull 0ontrol to the local Administrators group. The actual permissions re'uired will depend on the pac#age. If you have clients in wor#groups or in untrusted forests, those clients use the 5etwor# Access Account to access the pac#age content. %a#e sure that the 5etwor# Access Account has permissions to the pac#age by using the defined &ac#age Access Accounts."ou do not have to add the Net#or! Access Account as a The Windows user account and password that you specify are encrypted and stored in the S72 Server eporting Services database.

Site System Installation Account

This account re'uires local administrative permissions on the site systems that they will install and configure. Additionally, this account must have Access this computer from the networ# in the security policy on the site systems that they will install and configure. Specify an account that has the least possible permissions to send emails.

S%T& Server 0onnection Account

Software !pdate &oint 0onnection Account

This account must be a local administrator on the computer where WS!S is installed, and be part of the local WS!S Administrators group.

Software !pdate &oint &ro+y Server Account

The Software !pdate &oint &ro+y Server Account is used by the software update point to access the Internet via a pro+y server or firewall that re'uires authenticated access. The Source Site Account is used by the migration process to access the S%S &rovider of the source site. This account re'uires ead permissions to site ob$ects in the source site to gather data for migration $obs. If you upgrade 0onfiguration %anager :;;< distribution points or secondary sites that have co.located distribution points to System 0enter :;9: 0onfiguration %anager distribution points, this account must also have Delete permissions to the Site class to successfully remove

Specify an account that has the least possible permissions for the re'uired pro+y server or firewall.

Source Site Account

)oth the Source Site Account and Source Site Database Account are identified as %igration %anager in the Accounts node of the Administration wor#space in the 0onfiguration %anager console. The Source Site Database Account is used by the migration process to access the S72 Server database for the source site. )oth the Source Site Account and Source Site Database Account are identified as %igration %anager in the Accounts node of the Administration wor#space in the 0onfiguration %anager

Source Site Database Account

Tas# Se'uence (ditor Domain =oining Account

The Source Site Database Account is used by the migration process to access the S72 Server database for the source site. (ditor Domain =oining Account is The Tas# Se'uence used in a tas# se'uence to $oin a newly imaged computer to a domain. This account is re'uired if you add the step =oin Domain or Wor#group to a tas# se'uence, and then select =oin a domain. This account can also be configured if you add the step Apply 5etwor# to a tas# se'uence, but it 0onnection is not The Tas#Settings Se'uence (ditor 5etwor# "older Account is used by a tas# se'uence to connect to a shared folder on the networ#. This account is re'uired if you add the step 0onnect to 5etwor# "older to a tas# The Tas# Se'uence un As Account is used to run command lines in tas# se'uences and use credentials other than the local system account. This account is re'uired if you add the step un 0ommand 2ine to a tas# se'uence but do not want the tas# se'uence to run with 2ocal System account

This account re'uires the Domain =oin right in the domain that the computer will be $oining.Do not assign this account interactive logon permissions. Do not use the Net#or! Access Account or this account. This account re'uires permissions to access the specified shared folder and must be a user domain account.Do not assign this account interactive logon permissions. Do not use the Net#or! Access Account or this account. 0onfigure the account to have the minimum permissions re'uired to run the command line that specified in the tas# se'uence. The account re'uires interactive login rights, and it usually re'uires the ability to install software and access networ# resources.

Tas# Se'uence (ditor 5etwor# "older 0onnection Account

Tas# Se'uence un As Account