3.2.Active directory - Broker account
There should be one Active directory broker account per Realm. As the name suggests, this account acts as an intermediary or a broker between the SCCMTSPSI user interface and the backend infrastructure. Create the below Active Directory account.
sccmtspsi-broker-XXX [Where XXX is the Realm name]
Add the broker account as a member of the below security group.
sccmtspsi-users-XXX [Where XXX is the Realm name]
This Active Directory account should have the following privileges : [This will be the security context for the Realm]
- Permission to add/remove computer object and corresponding leaf objects in ADDS. We recommend narrowing the permission scope to specific areas within ADDS.
- Permission to remove computer objects from SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Deny permission to Server collections, Allow access to non-server collections.
- Permission to stage computer objects into SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Just “All Systems” [or one derived from that] and the Realm deployment collection “sccmtspsi-deployments-r01” [r01 is the name of the Realm].
- Read access to the “patch“, “token” and “usmt” folders within the configuration directory (discussed later in this page).
- Read/Write access to the logging location set in the configuration file (discussed later in this page).
- ‘Advanced helpdesk’ or ‘Administrator’ level access to Microsoft Bitlocker Administration and Monitoring services (discussed later in this page).