Microsoft Provisioning Framework (MPF) creates five security groups: MPFAdmins, MPFAuditors, MPFServiceAccts, MPFClientAccts, and MPFTrustedUsers. For domain deployments, these groups are installed in Active Directory; for local installations, they are installed in the Windows operating system as workgroup accounts.
Table: MPF Security Groups
|MPFAdmins||Grants administrator permissions to update the configuration database. Any MPF administrator or user who updates this database using the Provisioning Manager must be added as a member of this group.|
|MPFAuditors||Grants read-only permissions to view data stored in the audit log.|
|MPFServiceAccts||Grants permissions that are required to run provisioning engines, queue managers, and auditing and recovery managers. By default, MPFServiceAcct is the only member of this group. Other members can be added, however, which might be preferable if MPF services must run under other accounts for security reasons.|
|MPFClientAccts||Grants permissions to submit Simple Object Access Protocol
(SOAP) requests by using SOAP Internet Server Application
Programming Interface (ISAPI). By default, MPFClientAcct is the
only member of this group. Other members can be added, however,
which might be preferable if front-end services sending MPF
requests must run under other accounts for security reasons.
The Windows registry caches client property settings so that MPF can continue processing while the configuration database is offline. For this reason, MPFClientAccts must be set up to read and write to the Client key. For more information on MPF registry keys, see Registry Keys.
|MPFTrustedUsers||Grants permissions to submit trusted requests, or more precisely, to call the SubmitTrustedRequest methods of the IProvEngine and IProvQueue interfaces.|
It is usually safer and more efficient to manage security permissions by group rather than by individual account. For example, if you set up procedure execution permissions for a domain administrator, you might accidentally set up permissions for the computer's local administrator as well. Setting permissions by group helps prevent this type of problem.
Groups are created during MPF setup. If you have a setup failure, you must delete these accounts manually before attempting setup again.