Domain Installations for Local
Administrators
For security reasons, domain deployments are ordinarily
performed by the Microsoft® Active Directory® or Microsoft® Windows
NT® domain administrator. If you need to install Microsoft® Provisioning
Framework (MPF) but do not have domain administrator
privileges, your domain administrator must perform the following
steps to create the Active Directory user accounts and groups
needed for MPF on the domain controller computer. This must be done
before you can install MPF. (In this context, domain refers
to an Active Directory or Windows NT domain, not an Internet
domain.)
Creating MPF User Accounts
The MPF user
accounts are MPFClientAcct and MPFServiceAcct. Before creating
these accounts, determine which password to use. You must use the
same password for both accounts. Be sure to give this password to
the people who will install MPF on their local computers.
- Click Start, click Control Panel, then click
Administrative Tools.
- Click Active Directory Users and Computers.
- In the console tree, double-click the node for the domain.
- In the details pane, right-click Domain Controllers for
the organizational unit where you want to add the MPF user
accounts.
- Click New, then click User.
- Leave First name, Initials, and Last name
blank.
- In Full name, type MPFClientAcct.
- In User logon name, type MPFClientAcct.
- In the drop-down list, select the user principal name (UPN)
suffix to append to the user logon name, and then click
Next.
- In Password and Confirm password, type the
password for MPFClientAcct.
- Select the appropriate password options, and then clear User
Must Change Password at Next Logon if it is not already
cleared.
- Repeat the previous steps to create the account MPFServiceAcct.
Enter the same password as you did for MPFClientAcct.
Creating Groups
The next step in the domain installation is to create groups for
MPFAdmins, MPFAuditors, MPFClientAccts, MPFServiceAccts, and
MPFTrustedUsers.
- Return to the details pane and right-click the same
organizational unit where you added the users.
- Click New, and then click Group.
- In Group Name, type MPFAdmins, and then set the
Group Scope property to Global and the Group
Type property to Security.
- Repeat the previous steps to create the groups MPFAuditors,
MPFClientAccts, MPFServiceAccts, and MPFTrustedUsers.
Assigning the MPF Accounts to Groups
After creating groups, the next step is to assign the
MPFClientAcct and MPFServiceAcct to the MPFClientAccts,
MPFServiceAccts, and MPFTrustedUsers groups.
- Right-click the user MPFClientAcct, and then click Add
Members to a Group.
- In the pop-up list, select the group MPFClientAccts and
click OK.
- Right-click the user MPFServiceAcct and choose Add Members
to a Group.
- In the pop-up list, select the group MPFServiceAccts and
click OK.
- Right-click the user MPFServiceAcct and choose Add Members
to a Group.
- In the pop-up list, select the group MPFTrustedUsers and
click OK.
Configuring Kerberos Delegation
(Impersonation)
For an MPF server to delegate to another server, it must run
under a client identity marked as trusted for delegation in Active
Directory. Normally, this identity is MPFServiceAcct. Impersonation
will not work if the client account is marked as sensitive and/or
cannot be delegated. In addition, the MPF client properties must be
configured to support dynamic cloaking and delegation.
For instructions on configuring the server, see Kerberos
Delegation.
See Also
Getting
Started