Topic last updated—May 2008

AMT user accounts control which users or groups can run management functions in the out of band management console in Microsoft System Center Configuration Manager 2007. When you are configuring the AMT user accounts, instead of supplying a set of credentials that will be validated, you are creating something like an access control list (ACL) that specifies which of the AMT features are allowed for the specified Windows domain global security group or domain user. When the logged on user attempts to perform an action, AMT uses Kerberos to authenticate the account and then, based on the AMT user account configuration, authorizes the access to the feature.

The information in this topic applies only to Configuration Manager 2007 SP1 and later.

Required Rights and Permissions

Use the AMT User Account Setting dialog box to specify the specific AMT features that are allowed for the specified AMT user account. For example, you can create a security group for tier one support to allow Hardware Information, General Information, and Remote Control, and you can create a different security group for tier three support to allow PT Administration. These management activities are specific to AMT. For more information, see the manufacturer's documentation.

Account and Password Creation

The AMT user accounts or security groups are created and maintained by the Configuration Manager 2007 administrator. You can configure up to eight different entries.

Account Location

Because Kerberos authentication is used, the user accounts and security groups must exist in an Active Directory domain.

Account Maintenance

If you change the account in the Configuration Manager 2007 console, computers will not receive the change unless they are re-provisioned.

Security Best Practices

Use security groups instead of individual user accounts, and then manage access through the security groups.

Create role-based groups to permit access. For example, looking at hardware information is usually a lower risk behavior with a threat of information disclosure, while allowing media redirection could allow a user to boot from the network and then reformat the computer. Therefore, you might want to create a separate group for lower risk behaviors.

Configure the AMT user accounts before provisioning the AMT-based computers. If you configure AMT user accounts after computers are provisioned for AMT, you must manually update the AMT memory for these computers so that they are reconfigured with the new settings.

See Also