The following accounts are used with Configuration Manager 2007 Network Access Protection (NAP) and might need to be configured if your Configuration Manager hierarchy spans more than one Active Directory forest:

Account Purpose Default Configuration

System Health Validator Installation Account

Installing the System Health Validator as a Configuration Manager site role.

Computer account of the site server.

Select the option Use another account for installing this site system either during the New Site System Server Wizard or by modifying the properties of an existing site server.

Health state reference publishing account

Writing the health state reference to Active Directory when a Configuration Manager NAP policy is created or modified.

Site server computer account.

Health state reference publishing account in Site Settings, Component Configuration, System Health Point Component, Properties, Health State Reference tab.

Health state reference querying account

Periodically retrieving the health state references from Active Directory.

System Health Validator point computer account.

Health state reference querying account in Site Settings, Component Configuration, System Health Point Component, Properties, Health State Reference tab.

Important
Using the default setting of a computer account is more secure than configuring the use of a Microsoft Windows user account because the password is automatically generated and renewed. You should therefore use the default settings when the site server and System Health Validator points are in the same forest and where a trust exists. If you have multiple System Health Validator points in a single Configuration Manager site and you cannot use the computer account to retrieve the health state references, they must share the same Windows user account and any auditing should include the computer source to distinguish authorization attempts between one server and another.

See Also