MPF Accounts

Microsoft® Provisioning Framework (MPF) has two user accounts: MPFServiceAcct and MPFClientAcct. For domain deployments, these accounts are installed in Microsoft® Active Directory®; for local installations, they are installed in Microsoft® Windows® as workgroup accounts.

MPFServiceAcct

MPFServiceAcct is the default account for provisioning servers. It has permissions to run provisioning engines, queue managers, and auditing and recovery managers.

When setting the password for MPFServiceAcct during setup, be aware that:

MPFServiceAcct is a member of the MPFServiceAccts and MPFTrustedUsers groups .

Whenever a request uses basic authentication, Kerberos delegation, and/or has a procedure with an "execute as" credential, these credentials take precedence over MPFServiceAcct. In MPF deployments that perform security checking outside of MPF, it may be desirable to grant privileges to MPFServiceAcct so it can perform actions on external services.

MPFClientAcct

MPFClientAcct is only used to submit SOAP requests to MPF via SOAP ISAPI. MPFClientAcct is a member of the MPFClientAccts group.

Notes:

See Also

Access Control Basics