User accounts created by Microsoft Provisioning Framework
Microsoft Provisioning Framework (MPF) creates two user
accounts: the MPF service account (MPFServiceAcct) and the MPF
client account (MPFClientAcct). For domain deployments, these
accounts are installed in the Active Directory directory service.
For local installations, these accounts are installed in the
Windows operating system as work group accounts.
MPFServiceAcct
MPFServiceAcct is the default account for provisioning servers. It
has permissions to run provisioning engines, queue
managers, and auditing and recovery managers.
Important
When you are setting the password for MPFServiceAcct during
setup, the following important conditions apply:
If you ever change the password for the MPFServiceAcct, you
will also be required to change the password for the provisioning
engine COM+ application, Provisioning Queue Manager service, and
Provisioning Auditing and Recovery service. If you do not do this,
MPF will not function properly. Multiple forests with different
provisioning engines should not use the same MPFServiceAcct
password. If they do, MPF replicates objects across the forests.
This is appropriate only if all domains use the same provisioning
engine.
MPFServiceAcct is a member of the MPFServiceAccts and
MPFTrustedUsers groups.
When a request uses basic authentication, Kerberos delegation,
or has a procedure with an "execute as" credential, these
credentials take precedence over MPFServiceAcct. In
MPF deployments that perform security checking outside of MPF, you
might find it useful to grant permissions to MPFServiceAcct so it
can perform actions on external services.
When you are setting the password for MPFClientAcct during
setup, if you change the password for the MPFClientAcct, you will
also be required to change the password for SOAP ISAPI.
Accounts are created during MPF setup. If you have a setup
failure, you must delete these accounts manually before you attempt
setup again.