MPF Groups
Microsoft® Provisioning Framework (MPF) has five groups: MPFAdmins, MPFAuditors, MPFServiceAccts, MPFClientAccts, and MPFTrustedUsers. For domain deployments, these accounts are installed in Microsoft® Active Directory®; for local installations, they are installed in Microsoft® Windows® as workgroup accounts.
Account Description MPFAdmins Grants administrator update privileges to the configuration database. Any MPF administrator or user who updates this database using Provisioning Manager must be added as a member of this group. MPFAuditors Grants read-only privileges to view data stored in the audit log. MPFServiceAccts Grants privileges required to run provisioning engines, queue managers, and auditing and recovery managers. By default, MPFServiceAcct is the only member of this group. However, other members can be added, which can be desirable if MPF services must run under other accounts for security reasons. MPFClientAccts Grants privileges to submit SOAP requests via SOAP ISAPI. By default, MPFClientAcct is the only member of this group. However, other members can be added, which can be desirable if client-side services sending MPF requests must run under other accounts for security reasons. Note The Windows® registry caches client property settings so that MPF can continue to process if the configuration database is off-line. For this reason, MPFClientAccts is set up to read and write to the Client key. For more information on MPF registry keys, see Registry Keys Keys.
MPFTrustedUsers Grants privileges to submit trusted requests, or more precisely, to call the SubmitTrustedRequest methods of the IProvEngine and IProvQueue interfaces. Notes:
- It is usually safer and more efficient to manage security permissions by group rather than by individual account. For example, if you set up procedure execution privileges for a domain administrator, you may accidentally set up permissions for the computer's local administrator as well. Setting permissions by group helps prevent this type of problem.
- Groups are created during MPF setup. If you have a setup failure, you must delete these groups manually before re-attempting setup. The Readme.htm file on the MPF CD has the instructions for deleting MPF groups and other recovery steps for terminated setups.
See Also
Access Control Basics, MPF Accounts
Top of Page
© 1999-2002 Microsoft Corporation. All rights reserved.