This account is used to connect to computers and install the Microsoft System Center Configuration Manager 2007 client software if you deploy clients using Client Push Installation.
If the Client Push Installation account is not specified, the site server account is used to try to install the Configuration Manager 2007 client software.
Required Rights and Permissions
The Client Push Installation account must be in the local administrators built-in group on the computers where the Configuration Manager 2007 client software is to be installed.
This account does not require Domain Admin rights.
Account and Password Creation
The Client Push Installation account is not automatically created. The Configuration Manager 2007 administrator owns creation and management of one or more Client Push accounts. The administrator can create multiple Client Push Installation accounts or can use a single account across multiple sites.
This account can be created in the domain or local accounts database of every client computer.
The administrator changes the account or password in the operating system, and then configures Configuration Manager 2007 to use the new account or password.
The Client Configuration Manager checks for changes to the Client Push Installation account once every hour. Changes to this account do not become effective immediately.
To more effectively coordinate account updates in large Active Directory deployments, create a new account with a different name, and then add the new account to the list of accounts in the Client Push Installation properties. After allowing adequate time for Active Directory to replicate the new account, remove the old account from the Client Push Installation properties and Active Directory.
Security Best Practices
To mitigate the risk of the Client Push Installation account being compromised, use an alternative method of client installation like Software Update Point Client Installation, Group Policy-based installation, or imaging. If you must use Client Push Installation, never make the account a domain admin. Instead, create a global group and add that global group to the local administrators group on your client computers. For additional security, create multiple Client Push Installation accounts, each with administrative access to a limited number of computers so that if one account is compromised, only the client computers to which that account has access are compromised.
Do not grant this account the right to log on locally.
If the Client Push Installation account is a domain member, do not configure Client Push Installation or other methods that require the account until the account has had time to replicate throughout the domain.
Instead of adding the Client Push Installation account to Domain Admins, you can create a Group Policy object to add a Restricted Group setting to add the Client Push Installation account to the local Administrators group.