Microsoft Provisioning Framework (MPF) creates five security groups: MPFAdmins, MPFAuditors, MPFServiceAccts, MPFClientAccts, and MPFTrustedUsers. For domain deployments, these groups are installed in Active Directory; for local installations, they are installed in the Windows operating system as workgroup accounts.
Account | Description |
---|---|
MPFAdmins | Grants administrator permissions to update the configuration database. Any MPF administrator or user who updates this database using the Provisioning Manager must be added as a member of this group. |
MPFAuditors | Grants read-only permissions to view data stored in the audit log. |
MPFServiceAccts | Grants permissions that are required to run provisioning engines, queue managers, and auditing and recovery managers. By default, MPFServiceAcct is the only member of this group. Other members can be added, however, which might be preferable if MPF services must run under other accounts for security reasons. |
MPFClientAccts | Grants permissions to submit Simple Object Access Protocol (SOAP) requests by
using SOAP Internet
Server Application Programming Interface (ISAPI). By default,
MPFClientAcct is the only member of this group. Other members can
be added, however, which might be preferable if front-end services
sending MPF requests must run under other accounts for security
reasons.
Note
|
MPFTrustedUsers | Grants permissions to submit trusted requests, or more precisely, to call the SubmitTrustedRequest methods of the IProvEngine and IProvQueue interfaces. |
It is usually safer and more efficient to manage security permissions by group rather than by individual account. For example, if you set up procedure execution permissions for a domain administrator, you might accidentally set up permissions for the computer’s local administrator as well. Setting permissions by group helps prevent this type of problem.
Note