User accounts created by Microsoft Provisioning Framework
Microsoft Provisioning Framework (MPF) creates two user
accounts: the MPF service account (MPFServiceAcct) and the MPF
client account (MPFClientAcct). For domain deployments, these
accounts are installed in the Active Directory directory service.
For local installations, these accounts are installed in the
Windows operating system as work group accounts.
When you are setting the password for MPFServiceAcct during
setup, the following important conditions apply:
If you ever change the password for the MPFServiceAcct, you
will also be required to change the password for the provisioning
engine COM+ application, Provisioning Queue Manager service, and
Provisioning Auditing and Recovery service. If you do not do this,
MPF will not function properly. Multiple forests with different
provisioning engines should not use the same MPFServiceAcct
password. If they do, MPF replicates objects across the forests.
This is appropriate only if all domains use the same provisioning
MPFServiceAcct is a member of the MPFServiceAccts and
When a request uses basic authentication, Kerberos delegation,
or has a procedure with an "execute as" credential, these
credentials take precedence over MPFServiceAcct. In
MPF deployments that perform security checking outside of MPF, you
might find it useful to grant permissions to MPFServiceAcct so it
can perform actions on external services.