Topic last updated—March 2008

The Client Status Reporting Service Account provides the security context to run the Configuration Manager Client Status Reporting account. In Microsoft System Center Configuration Manager 2007, the Configuration Manager Client Status Reporting account performs the following functions:

Note
The information in this topic applies only to Configuration Manager 2007 R2 and Configuration Manager 2007 R3.

You can use either the local system account, or you can configure a user account.

Required Rights and Permissions

The client status reporting service account requires the following rights and permissions:

  • Local administrative rights on the client status reporting host system.

  • Logon as a service rights on the client status reporting host system.

  • Membership in the smsdbrole_CH role in the site database.

  • Read permissions to the share on the management point containing the policy request log files. For more information, see the topic How to Configure Policy Request Logging on Management Points in the client status reporting documentation.

Account and Password Creation

The administrator creates the account and password, and then configures it in the Configuration Manager 2007 Client Status Reporting console. For more information, see the topic "How to Configure the Client Status Reporting Service Account" in the help; for the Configuration Manager 2007 Client Status Reporting console.

Account Location

The account can be created anywhere that it has the required rights and permissions.

Account Maintenance

The administrator performs all account and password maintenance. If you modify the account in the account database, you must also update the configuration in the Configuration Manager 2007 Client Status Reporting console.

Security Best Practices

Creating a user account with limited rights is more secure than using the Local System account. Create a user account with the required rights but remove the log on locally right from the account.

You have two options for configuring policy request logging. Granting the Client Status Reporting Service Account administrator rights on the management point is not recommended. While it introduces more configuration overhead, the more secure method is to manually enable policy logging on the management point and manually configure the log folder so that the Client Status Reporting Service Account has read access.

Do not assign any additional rights or permissions to this account, or use this account for anything except running the service on one or more client status reporting host systems.

See Also