MPF Groups

Microsoft® Provisioning Framework (MPF) has five groups: MPFAdmins, MPFAuditors, MPFServiceAccts, MPFClientAccts, and MPFTrustedUsers. For domain deployments, these accounts are installed in Microsoft® Active Directory®; for local installations, they are installed in Microsoft® Windows® as workgroup accounts.

Account Description
MPFAdmins Grants administrator update privileges to the configuration database. Any MPF administrator or user who updates this database using Provisioning Manager must be added as a member of this group.
MPFAuditors Grants read-only privileges to view data stored in the .
MPFServiceAccts Grants privileges required to run provisioning engines, queue managers, and auditing and recovery managers. By default, MPFServiceAcct is the only member of this group. However, other members can be added, which can be desirable if MPF services must run under other accounts for security reasons.
MPFClientAccts Grants privileges to submit SOAP requests via SOAP ISAPI. By default, MPFClientAcct is the only member of this group. However, other members can be added, which can be desirable if client-side services sending MPF requests must run under other accounts for security reasons.

Note The Windows® registry caches client property settings so that MPF can continue to process if the configuration database is off-line. For this reason, MPFClientAccts is set up to read and write to the Client key. For more information on MPF registry keys, see .

MPFTrustedUsers Grants privileges to submit trusted requests, or more precisely, to call the SubmitTrustedRequest methods of the IProvEngine and IProvQueue interfaces.

Notes:

See Also

Access Control Basics, MPF Accounts