ul

0 views

Skip to first unread message

Jamar Lizarraga

unread,

Jun 13, 2024, 2:05:46 AM6/13/24

to micnebimus

Hi there. So SkipFinalSummary and FinishAction does not work on custom created administrator accounts ? And what about creating admin accounts on the customsettings.ini, instead of using the autounattend.xml?

Create a Task Sequence using PowerShell to Rename Local Administrator Account Microsft Deploymen

Download File ○○○ https://t.co/g5q8MlNQNm

Hi there. I have disabled the built-in administrator. But is there a way to use SkipFinalSummary and FinishAction when using AutoLogon for a newly made Administrator account? So that when it boots and restarts, the desired Admin account is right there.

Ahhh, I see. Is it possible to disable the built-in admin account upon reboot, using this command: net user administrator /active:no. If yes, how do I put that in the task sequence and or customsettings.ini

You add that as a Command Line step, as one of the last steps before finishing.
But if this is part of your domain client deployment, leave the account enabled and finish off with installing LAPS. Tons of good info on that here on SpiceWorks.

When Configuration Manager creates a group on a computer that's a domain member, the group is a local security group. If the computer is a domain controller, the group is a domain local group. This type of group is shared among all domain controllers in the domain.

Configuration Manager automatically manages the group membership. Membership includes administrative users that are granted the View Collected Files permission to the Collection securable object from an assigned security role.

This group is a local security group that Configuration Manager creates on the site database server or database replica server for a child primary site. The site creates it when you use distributed views for database replication between sites in a hierarchy. It contains the site server and SQL Server computer accounts of the central administration site.

In addition to being a permitted viewer, an administrative user must have Remote Control permission for the Collection object. Assign this permission by using the Remote Tools Operator security role.

Configuration Manager automatically manages the group membership. By default, each administrative user in a hierarchy and the site server computer account are members of the SMS Admins group on each SMS Provider computer in a site.

When you use a remote Configuration Manager console, configure Remote Activation DCOM permissions on both the site server computer and the SMS Provider. Grant these rights to the SMS Admins group. This action simplifies administration instead of granting these rights directly to users or groups. For more information, see Configure DCOM permissions for remote Configuration Manager consoles.

Management points that are remote from the site server use this group to connect to the site database. This group provides management point access to the inbox folders on the site server and the site database.

Configuration Manager automatically manages the group membership. By default, membership includes a computer account or a domain user account. It uses this account to connect to the site server from each remote SMS Provider.

Configuration Manager automatically manages the group membership. By default, membership includes the computer account or the domain user account. It uses this account to connect to the site server from each remote site system that runs the file dispatch manager.

This group also has the Write and Modify permissions to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box.

Configuration Manager uses this group to enable file-based replication between sites in a hierarchy. For each remote site that directly transfers files to this site, this group has accounts set up as a File Replication Account.

When you install a new site as a child of another site, Configuration Manager automatically adds the computer account of the new site server to this group on the parent site server. Configuration Manager also adds the parent site's computer account to the group on the new site server. If you specify another account for file-based transfers, add that account to this group on the destination site server.

This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that you specify for discovery.

The site uses the Active Directory forest account to discover network infrastructure from Active Directory forests. Central administration sites and primary sites also use it to publish site data to Active Directory Domain Services for a forest.

To discover and publish to untrusted forests, the Active Directory forest account must be a global account. If you don't use the computer account of the site server, you can select only a global account.

This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data.

The certificate registration point uses the Certificate registration point account to connect to the Configuration Manager database. It uses its computer account by default, but you can configure a user account instead. When the certificate registration point is in an untrusted domain from the site server, you must specify a user account. This account requires only Read access to the site database because the state message system handles write tasks.

When you capture an OS image, Configuration Manager uses the Capture OS image account to access the folder where you store captured images. If you add the Capture OS Image step to a task sequence, this account is required.

If you change the password for the account in Windows, update the task sequence with the new password. The Configuration Manager client receives the new password when it next downloads the client policy.

When you deploy clients by using the client push installation method, the site uses the Client push installation account to connect to computers and install the Configuration Manager client software. If you don't specify this account, the site server tries to use its computer account.

Use the domain or local group policy to assign the Windows user the right to Deny log on locally. As a member of the Administrators group, this account will have the right to sign in locally, which isn't needed. For better security, explicitly deny the right to this account. The deny right supersedes the allow right.

The enrollment point uses the Enrollment point connection account to connect to the Configuration Manager site database. It uses its computer account by default, but you can configure a user account instead. When the enrollment point is in an untrusted domain from the site server, you must specify a user account. This account requires Read and Write access to the site database.

The site server uses the Exchange Server connection account to connect to the specified Exchange Server. It uses this connection to find and manage mobile devices that connect to the Exchange Server. This account requires Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. For more information about the cmdlets, see Install and configure the Exchange connector.

The management point uses the Management point connection account to connect to the Configuration Manager site database. It uses this connection to send and retrieve information for clients. The management point uses its computer account by default, but you can configure a user account instead. When the management point is in an untrusted domain from the site server, you must specify a user account.

Multicast-enabled distribution points use the Multicast connection account to read information from the site database. The server uses its computer account by default, but you can configure a user account instead. When the site database is in an untrusted forest, you must specify a user account. For example, if your data center has a perimeter network in a forest other than the site server and site database, use this account to read the multicast information from the site database.

Client computers use the network access account when they can't use their local computer account to access content on distribution points. It mostly applies to workgroup clients and computers from untrusted domains. This account is also used during OS deployment, when the computer that's installing the OS doesn't yet have a computer account on the domain.

If you configure the site for HTTPS or Enhanced HTTP, a workgroup or Microsoft Entra joined client can securely access content from distribution points without the need for a network access account. This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or the Software Center. For more information, see Client to management point communication.

Grant this account the minimum appropriate permissions for the content that the client requires to access the software. The account must have the Access this computer from the network right at the distribution point. You can configure up to 10 network access accounts per site.