Documentation for SCCM task sequence deployment orchestrator

Active directory - Security group

The Realm security group serves two objectives.

  1. Acts as the gate keeper, by maintaining a list of Active Directory users who can access a SCCMTSPSI Realm instance.
  2. Provides read access into the configuration directory for a Realm.

Create the below Active Directory global security group.

sccmtspsi-users-XXX [Where XXX is the Realm name]

The security group members tab will look similar to the below image. Where “Build Engineer 1” , “Build Engineer 2” and “Build Engineer 3” are normal sccmtspsi operators and “sccmtspsi-broker-r01” is the broker account [discussed in the next section].


  • The Realm security group can be a nested group. But for performance purposes, we recommend using a flat membership structure.
  • Do not add any foreign security principals as a member of this group.
