Domain Installations for Local Administrators

For security reasons, domain deployments are ordinarily performed by the Microsoft® Active Directory® or Microsoft® Windows NT® domain administrator. If you need to install Microsoft® Provisioning Framework (MPF) but do not have domain administrator privileges, your domain administrator must perform the following steps to create the Active Directory user accounts and groups needed for MPF on the domain controller computer. This must be done before you can install MPF. (In this context, domain refers to an Active Directory or Windows NT domain, not an Internet domain.)

Creating MPF User Accounts

The MPF user accounts are MPFClientAcct and MPFServiceAcct. Before creating these accounts, determine which password to use. You must use the same password for both accounts. Be sure to give this password to the people who will install MPF on their local computers.

  1. Click Start, click Control Panel, then click Administrative Tools.
  2. Click Active Directory Users and Computers.
  3. In the console tree, double-click the node for the domain.
  4. In the details pane, right-click Domain Controllers for the organizational unit where you want to add the MPF user accounts.
  5. Click New, then click User.
  6. Leave First name, Initials, and Last name blank.
  7. In Full name, type MPFClientAcct.
  8. In User logon name, type MPFClientAcct.
  9. In the drop-down list, select the user principal name (UPN) suffix to append to the user logon name, and then click Next.
  10. In Password and Confirm password, type the password for MPFClientAcct.
  11. Select the appropriate password options, and then clear User Must Change Password at Next Logon if it is not already cleared.
  12. Repeat the previous steps to create the account MPFServiceAcct. Enter the same password as you did for MPFClientAcct.
Creating Groups

The next step in the domain installation is to create groups for MPFAdmins, MPFAuditors, MPFClientAccts, MPFServiceAccts, and MPFTrustedUsers.

  1. Return to the details pane and right-click the same organizational unit where you added the users.
  2. Click New, and then click Group.
  3. In Group Name, type MPFAdmins, and then set the Group Scope property to Global and the Group Type property to Security.
  4. Repeat the previous steps to create the groups MPFAuditors, MPFClientAccts, MPFServiceAccts, and MPFTrustedUsers.
Assigning the MPF Accounts to Groups

After creating groups, the next step is to assign the MPFClientAcct and MPFServiceAcct to the MPFClientAccts, MPFServiceAccts, and MPFTrustedUsers groups.

  1. Right-click the user MPFClientAcct, and then click Add Members to a Group.
  2. In the pop-up list, select the group MPFClientAccts and click OK.
  3. Right-click the user MPFServiceAcct and choose Add Members to a Group.
  4. In the pop-up list, select the group MPFServiceAccts and click OK.
  5. Right-click the user MPFServiceAcct and choose Add Members to a Group.
  6. In the pop-up list, select the group MPFTrustedUsers and click OK.
Configuring Kerberos Delegation (Impersonation)

For an MPF server to delegate to another server, it must run under a client identity marked as trusted for delegation in Active Directory. Normally, this identity is MPFServiceAcct. Impersonation will not work if the client account is marked as sensitive and/or cannot be delegated. In addition, the MPF client properties must be configured to support dynamic cloaking and delegation.

For instructions on configuring the server, see Kerberos Delegation.

See Also

Getting Started