MPF Accounts
Microsoft® Provisioning Framework (MPF) has two user accounts: MPFServiceAcct and MPFClientAcct. For domain deployments, these accounts are installed in Microsoft® Active Directory®; for local installations, they are installed in Microsoft® Windows® as workgroup accounts.
MPFServiceAcct
MPFServiceAcct is the default account for provisioning servers. It has permissions to run provisioning engines, queue managers, and auditing and recovery managers.
When setting the password for MPFServiceAcct during setup, be aware that:
- If you ever change the password for the MPFServiceAcct, you will also be required to change the password for the Provisioning Engine COM+ application, Provisioning Queue Manager Service, and Provisioning Auditing and Recovery Service. If you do not do this, MPF will not function properly.
- Multiple forests with different provisioning engines should not use the same MPFServiceAcct password. If they do, MPF replicates objects across the forests. This is appropriate only if all domains use the same provisioning engine.
MPFServiceAcct is a member of the MPFServiceAccts and MPFTrustedUsers groups .
Whenever a request uses basic authentication, Kerberos delegation, and/or has a procedure with an "execute as" credential, these credentials take precedence over MPFServiceAcct. In MPF deployments that perform security checking outside of MPF, it may be desirable to grant privileges to MPFServiceAcct so it can perform actions on external services.
MPFClientAcct
MPFClientAcct is only used to submit SOAP requests to MPF via SOAP ISAPI. MPFClientAcct is a member of the MPFClientAccts group.
Notes:
- When setting the password for MPFClientAcct during setup, be aware that if you change the password for the MPFClientAcct, you will also be required to change the password for SOAP ISAPI.
- Accounts are created during MPF setup. If you have a setup failure, you must delete these accounts manually before re-attempting setup. The Readme.htm file on the MPF CD has the instructions for deleting MPF accounts and other recovery steps for terminated setups.
See Also
Top of Page
© 1999-2002 Microsoft Corporation. All rights reserved.