SCCM Account Permission and Ports

SCCM Account Permission and Ports

Software Account Permissions

Below Accounts used for AD discovery purpose

      Active Directory Discovery Account

Your Site server computer Account or User account must have read permission for below AD attributes

Active Directory group discovery account 

Active Directory system discovery account

Active Directory user discovery account

 Active Directory forest account

The Site Server Computer account must have full access required for System Management container and all its child objects

Note: Don’t grant interactive sign-in rights to this account and avoid account lockouts create service account

For extent AD schema, the user account must be either a member of the Schema Admins group or have been delegated sufficient permissions to modify the schema

Ex – SCCMAD@domain.com

      Client Push Installation Account

The Client Push user account must be a member of the local Administrators group on the target client computers. This account doesn't require Domain Admin rights (Using GPO we make our client push account as member of all domain machine local administrator. 

Note: Don’t grant interactive sign-in rights to this account and avoid account lockouts create service account

Ex – SCCMClientpush@domain.com

      Network Access Account

Client computers use the network access account when they can't use their local computer account to access content on distribution points. It mostly applies to workgroup clients and computers from untrusted domains. This account is also used during OS deployment, when the computer that's installing the OS doesn't yet have a computer account on the domain

Its only used for access content in distribution point where computer account unable to access it

This Account mush be in domain user and have access to Distribution point, It doesn’t need any special rights

Note: Don’t grant interactive sign-in rights to this account and avoid account lockouts create service account

Ex - SCCMNAA@domain.com

      Reporting Service Point Account

It’s a normal domain account, Configuration Manager automatically grants the specified user access to the site database. The user is displayed in the Accounts subfolder of the Security node in the Administration workspace with the ConfigMgr Reporting Services Point account name

Note: Don’t grant interactive sign-in rights to this account and avoid account lockouts create service account

Ex – SCCMSQLReporting@domaiin.com

      Task sequence domain join account

Windows Setup uses the Task sequence domain join account to join a newly imaged computer to a domain, the specific user account requires the Domain Join right in the target domain

Note: Don’t grant interactive sign-in rights or domain admin rights to this account and avoid account lockouts create service account

Ex – SCCMdomainjoin@domain.com

For other SCCM task like, site installation and role configuration, create an dedicated domain user account which doesn’t required any special permissions

Ex – SCCMAdmin@domain.com

Create separate account for SQL server service account, we use this for SQL server installation and configuration, this account doesn’t required any special permission.

Ex – SCCMSQL@domain.com

We can also create SCCM Admin group, which will help to troubleshoot SCCM server and clients

This group required local admin permission for all SCCM server and SCCM client computers

Ex – SCCMAdminGroup@domain.com

We can also create another SCCM AD group for having access in AD system container and all SCCM servers

This group required local admin permission for all SCCM server and full permission on System Management container in AD

Ex – SCCMSiteServer@domain.com

SCCM Required Ports

Ports required between clients to site server

From	To	UDP	TCP	Description	Direction
Client	App Catalog Website Point		80/443	http/https	Unidirection
Client	Client (wol)		9/25536	WOL/WUP	Unidirection
Client	NDES		80/443	http/https	Unidirection
Client	Cloud DP		443	https	Unidirection
Client	DP		80/443	http/https	Unidirection
Client	DP with Multi Cast	63000-64000	445	Multi Cast/SMB	Unidirection
Client	DP with PXE	67/68/69/4011		DHCP/TFTP/BINL	Unidirection
Client	FSP		80	http	Unidirection
Client	Domain		3268/3269	LDAP/LDAP SSL	Unidirection
Client	MP		10123/80/443	Client Notification/http/https	Unidirection
Client	SUP		80/8530/443/8531	http/https	Unidirection
Client	SMP		80/443/445	http/https/SMB	Unidirection
Client	PXE DP	67/68/69/4011		PXE Enable DP	Unidirection
Client	DP		445	Windows File Share	Unidirection

Ports Required between SCCM Site Server to Clients

From	To	UDP	TCP	Description	Direction
Console	Client		2701/3389	RC/RDP/RTC	Unidirection
Console	Client		135/445	WMI and Windows File Share	Unidirection
Console	Client		2701/3389	Remote Control	Unidirection
Console	Client			ICMP Echo Request	Unidirection
Console	Client	135		RPC Endpoint Mapper	Unidirection
Console	Client	49152-65535		RPC Ports	Unidirection

Windows Firewall Ports and Inbound / Outbound GPO Rule

It’s recommended to enable windows firewall in on each desktop & server, some certain things we can’t install without enable windows firewall.

If windows firewall is enable, we need to create few inbound and outbound rule in GPO to allow SCCM traffic. Below are the details

Name	Group	Profile	Enabled	Action
ICMP Wake-up proxy communication		All	Yes	Allow
RPC End Point Mapper		All	Yes	Allow
Configuration Manager remote control		All	Yes	Allow
Windows Management Instrumentation (ASync-In)	Windows Management Instrumentation (WMI)	Private, Public	Yes	Allow
Windows Management Instrumentation (WMI-In)	Windows Management Instrumentation (WMI)	Private, Public	Yes	Allow
Windows Management Instrumentation (DCOM-In)	Windows Management Instrumentation (WMI)	Private, Public	Yes	Allow
Windows Management Instrumentation (ASync-In)	Windows Management Instrumentation (WMI)	Domain	Yes	Allow
Windows Management Instrumentation (WMI-In)	Windows Management Instrumentation (WMI)	Domain	Yes	Allow
Windows Management Instrumentation (DCOM-In)	Windows Management Instrumentation (WMI)	Domain	Yes	Allow
File and Printer Sharing (LLMNR-UDP-In)	File and Printer Sharing	All	Yes	Allow
File and Printer Sharing (Echo Request – ICMPv6-In)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (Echo Request – ICMPv4-In)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (Spooler Service – RPC-EPMAP)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (Spooler Service – RPC)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (NB-Datagram-In)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (NB-Name-In)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (SMB-In)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (NB-Session-In)	File and Printer Sharing	Private, Public	Yes	Allow
File and Printer Sharing (Echo Request – ICMPv6-In)	File and Printer Sharing	Domain	Yes	Allow
File and Printer Sharing (Echo Request – ICMPv4-In)	File and Printer Sharing	Domain	Yes	Allow
File and Printer Sharing (Spooler Service – RPC-EPMAP)	File and Printer Sharing	Domain	Yes	Allow
File and Printer Sharing (Spooler Service – RPC)	File and Printer Sharing	Domain	Yes	Allow
File and Printer Sharing (NB-Datagram-In)	File and Printer Sharing	Domain	Yes	Allow
File and Printer Sharing (NB-Name-In)	File and Printer Sharing	Domain	Yes	Allow
File and Printer Sharing (SMB-In)	File and Printer Sharing	Domain	Yes	Allow
File and Printer Sharing (NB-Session-In)	File and Printer Sharing	Domain	Yes	Allow
SQL Ports for SCCM	TCP 1433	Domain,Private, Public	Yes	Allow
SQL Ports for SCCM	TCP 4022	Domain,Private, Public	Yes	Allow