Microsoft® Provisioning Framework (MPF) has five groups: MPFAdmins, MPFAuditors, MPFServiceAccts, MPFClientAccts, and MPFTrustedUsers. For domain deployments, these accounts are installed in Microsoft® Active Directory®; for local installations, they are installed in Microsoft® Windows® as workgroup accounts.
Account | Description |
---|---|
MPFAdmins | Grants administrator update privileges to the configuration database. Any MPF administrator or user who updates this database using Provisioning Manager must be added as a member of this group. |
MPFAuditors | Grants read-only privileges to view data stored in the . |
MPFServiceAccts | Grants privileges required to run provisioning engines, queue managers, and auditing and recovery managers. By default, MPFServiceAcct is the only member of this group. However, other members can be added, which can be desirable if MPF services must run under other accounts for security reasons. |
MPFClientAccts | Grants privileges to submit SOAP requests via SOAP ISAPI. By
default, MPFClientAcct is the only member of this group. However,
other members can be added, which can be desirable if client-side
services sending MPF requests must run under other accounts for
security reasons.
Note The Windows® registry caches client property settings so that MPF can continue to process if the configuration database is off-line. For this reason, MPFClientAccts is set up to read and write to the Client key. For more information on MPF registry keys, see . |
MPFTrustedUsers | Grants privileges to submit trusted requests, or more precisely, to call the SubmitTrustedRequest methods of the IProvEngine and IProvQueue interfaces. |
Notes: