Microsoft System Center Configuration Manager 2007 client computers use the Local System account to perform most Configuration Manager 2007 client operations on the computer, but Local System cannot access network resources. When the client computer accesses a distribution point to run a package, including operating system deployment packages, it uses the computername$ account to access resources in a trusted Active Directory domain. The Network Access account is provided for times when Configuration Manager 2007 clients from workgroups or non-trusted domains require access resources in the site server's domain. This account might also be needed during operating system deployment, because the computer receiving the operating system does not have a security context it can use to access content on the network.
Important |
---|
The Network Access account is never used as the security context for running programs, installing software updates, or running task sequences, only for accessing resources on the network. |
Required rights and permissions
This account should have the minimum appropriate permissions on the software distribution or operating system deployment content it needs to access. The account must have Access this computer from the network on the distribution point or other server that holds the package content.
Because you can create only one Network Access account per site, this account must function for all packages and task sequences for which it is required.
Scenarios for Software Distribution
The account used to connect to the content and the account used to run the program vary depending on the configuration of the program and advertisement.
Note |
---|
The program is always run in the context specified by administrator in the program properties. The Network Access account is never used to run the program, even if it was used to access the distribution point shared folder. |
Advertisement Is Configured To Download from Distribution Point
Program is advertised to: | Program Initiation | Sequence of accounts used to access distribution point shared folder |
---|---|---|
User or group |
Initiated by user or initiated on schedule |
|
Computer |
Initiated by user |
|
Computer |
Initiated on schedule |
|
* When Configuration Manager tries to use the computername$ context to download the content and it fails, it automatically tries the Network Access account again, even if it has previously tried and failed.
Advertisement Is Configured To Run from Distribution Point
Program configuration | Sequence of accounts used to access distribution point shared folder |
---|---|
Run with user rights |
1. Logged on user 2. Network Access account |
Run with administrative rights |
1. Computername$ 2. Network Access account |
Windows Installer file, configured to run with user rights |
Configuration Manager 2007 client attempts to access the distribution point to run the Windows Installer application using the following account sequence: 1. Logged on user 2. Network Access account Configuration Manager 2007 client attempts to access the distribution point to elevate the Windows Installer rights for the user using the following account sequence: 1. Computername$ 2. Network Access account |
In many cases, when a Windows Installer file is installed in a user’s context there are components within the file that require an administrative context to install; the Configuration Manager 2007 client is able to take advantage of Windows Installer elevation to ensure that the application installs correctly. The client does not know if elevation is required, so it always attempts to elevate Windows Installer installations, whether or not the program requires it, whether or not the logged on user is an administrator. In order for elevation to succeed the Computername$ account or the Network Access account must be able to access the resource. If neither the Computername$ account nor the Network Access account has permission to access the shared folder on the distribution point, the program will still run in the user’s context but the elevation will fail. you will receive status message 10046 to indicate a failure to elevate the Windows Installer package. If any actions within the Windows Installer file require administrator access to the system then the installation will fail
After a connection to the distribution point shared folder has been established, if the program was configured to run with user rights, the program runs in the context of the logged on user, regardless of the account used to access the share. If the program was configured to run with administrative rights, it runs in the context of the Local System account.
Scenarios for Operating System Deployment
While Configuration Manager 2007 can use the Network Access account to access task sequences stored on distribution points, the Network Access account is used only for accessing the content and not for running the task sequence. Task sequences run only in the context of the Local System account.
Unlike packages, task sequences can be advertised only to computers, not to users and groups.
When using boot images for operating system deployment, Configuration Manager 2007 uses Windows Preinstallation Environment (Windows PE), which is not a full operating system. While running Windows PE, the computer uses an automatically generated, random name and is not a member of any domain. Security restrictions might prevent the computer from accessing the distribution point during the Windows PE phase of the task sequence.
Advertisement Configuration | Sequence of accounts used to access distribution point shared folder – Windows PE | Sequence of accounts used to access distribution point shared folder – operating system |
---|---|---|
Optional |
|
|
Mandatory |
|
|
* When Configuration Manager tries to use the computername$ context to download the content and it fails, it automatically tries the Network Access account again, even if it has previously tried and failed.
Account and password creation
The administrator creates the account and password in the Active Directory Domain Services database and then configures Configuration Manager 2007 to use the account in the Configuration Manager 2007 console.
Important |
---|
The password for the network access account is limited to 38 characters or less. |
Account location
This account can be created in any domain that will provide the necessary access to resources. The Network Access account must always include a domain name. Pass-through security is not supported for this account. If there are multiple domains, create the account in a trusted domain.
Account maintenance
The Configuration Manager 2007 Administrator creates and maintains the account and password.
To avoid account lockouts, do not change the password on an existing Network Access account. You should create a new account and set Configuration Manager 2007 to use that account. When sufficient time has passed for all clients to have received the new account details, the old account should be removed from the network shared folders and deleted.
Security best practices
Do not grant this account interactive logon rights.
Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account.
Avoid using the Client Network Access account because it is a common account and can be used to grant access to multiple packages, including packages not appropriate for all users. If you must use the account, due to roaming or workgroup environments, assign only the least possible permission and never assign domain admin rights.
As with all accounts, never use blank passwords. If you do not specify a password when you are configuring this account in Configuration Manager 2007 console, the account is not saved.
There is no need to add the Network Access Account as a Package Access Account because it is a member of Users and thus included by default. Also, restricting the ACLs of a package to only the Network Access Account does not prevent any client from accessing the package because Configuration Manager 2007 clients can request use of the Network Access Account when necessary. If you want to protect the package content from unauthorized users, add users or groups to the package access accounts instead of adding the Users group.