Jump to content


svariell

Password to never change or set to change AD user creation - SCCM 2012 R2

Recommended Posts

I have a quick question, from an auditing standpoint on the creation of the following accounts that we create for SCCM.

 

Network access account

Client install account

Domain join account

SQL service account for SQL Server & SQL Server Agent services

SQL reporting user for SQL Server Reporting Service

SCCM admin account

 

I know that the first 5 are to be non-interactive, but my question lies is there documentation out there that states whether the first 5 accounts above that the password is to be set to never change or should it be changed on a 30, 60, or 90 day basis? Also, what about the SCCM admin account, should that password be changed every 30, 60, or 90 days? Thanks in advance for the response.

Share this post


Link to post
Share on other sites

I have them never changing the password if they are service accounts otherwise you run the risk of forgetting to change the password in your console and having your deployments break. I keep track of them in KeePass and have that create a random password.

Share this post


Link to post
Share on other sites

I have a quick question, from an auditing standpoint on the creation of the following accounts that we create for SCCM.

 

Network access account

Client install account

Domain join account

SQL service account for SQL Server & SQL Server Agent services

SQL reporting user for SQL Server Reporting Service

SCCM admin account

 

I know that the first 5 are to be non-interactive, but my question lies is there documentation out there that states whether the first 5 accounts above that the password is to be set to never change or should it be changed on a 30, 60, or 90 day basis? Also, what about the SCCM admin account, should that password be changed every 30, 60, or 90 days? Thanks in advance for the response.

There is not such docs as to when or how often you should or should not change the PW. HOWEVER if you change the NAA account your will likely lock it out for several hours or days. As such you should create two NAA accounts and change the PWs at different intervals. Also don't forget that if you change any of the SQL account that your MUST create the SPN record too.

 

What do you mean by the CM Admin account? Exactly which account are you talking about?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...