Topic last updated—May 2008
AMT user accounts control which users or groups can run management functions in the out of band management console in Microsoft System Center Configuration Manager 2007. When you are configuring the AMT user accounts, instead of supplying a set of credentials that will be validated, you are creating something like an access control list (ACL) that specifies which of the AMT features are allowed for the specified Windows domain global security group or domain user. When the logged on user attempts to perform an action, AMT uses Kerberos to authenticate the account and then, based on the AMT user account configuration, authorizes the access to the feature.
|The information in this topic applies only to Configuration Manager 2007 SP1 and later.|
Required Rights and Permissions
Use the AMT User Account Setting dialog box to specify the specific AMT features that are allowed for the specified AMT user account. For example, you can create a security group for tier one support to allow Hardware Information, General Information, and Remote Control, and you can create a different security group for tier three support to allow PT Administration. These management activities are specific to AMT. For more information, see the manufacturer's documentation.
Account and Password Creation
The AMT user accounts or security groups are created and maintained by the Configuration Manager 2007 administrator. You can configure up to eight different entries.
Because Kerberos authentication is used, the user accounts and security groups must exist in an Active Directory domain.
If you change the account in the Configuration Manager 2007 console, computers will not receive the change unless they are re-provisioned.
Security Best Practices
Use security groups instead of individual user accounts, and then manage access through the security groups.
Create role-based groups to permit access. For example, looking at hardware information is usually a lower risk behavior with a threat of information disclosure, while allowing media redirection could allow a user to boot from the network and then reformat the computer. Therefore, you might want to create a separate group for lower risk behaviors.
Configure the AMT user accounts before provisioning the AMT-based computers. If you configure AMT user accounts after computers are provisioned for AMT, you must manually update the AMT memory for these computers so that they are reconfigured with the new settings.