Topic last updated—March 2008
The Task Sequence Run As Account is used by Microsoft System Center Configuration Manager 2007 to run command lines in task sequences with credentials other than the local system account. This account is required if you add the step Run Command Line to a task sequence but do not want the task sequence to run with Local System account permissions on the managed computer.
|The information in this topic applies only to Configuration Manager 2007 R2 and Configuration Manager 2007 R3.|
The account must have the minimum permissions to run the command line specified in the task sequence. The account requires interactive login rights, and it usually requires the ability to install software and access network resources.
Account and Password Creation
The Configuration Manager 2007 administrator creates the account and manages the password.
The account can be a local or domain account, as long as it has the necessary permissions to run the command line.
The Configuration Manager 2007 administrator performs all necessary account maintenance. If the account is modified or the password is changed in the account database, the account properties must also be modified in the Task Sequence Editor.
If the administrator changes the password for the account and updates the task sequence with the new password, the client will pick up the new password on the next policy refresh.
Security Best Practices
Use an account with the least possible permissions.
Do not use the Network Access account for this account.
Never make the account a domain administrator.
Never configure roaming profiles for this account. When the task sequence runs, it will download the roaming profile for the account, leaving it vulnerable to access on the local computer.
Limit the scope of the account. For example, create different Task Sequence Run As accounts for each task sequence so that if one account is compromised, only the client computers to which that account has access are compromised.
If the command line requires administrative access on the computer, consider creating a local administrator account solely for the Task Sequence Run As account on all computers that will run the task sequence, and delete the account as soon as it is no longer needed.