Add Support for MSA/gMSA for Standard Roles
I would like the ability to assign managed service accounts or group managed service accounts to the standard roles for SCCM (i.e. Network Access Account, Domain Join account, Client Push account, etc.) so that those accounts can be secured without the need for knowing or managing the password.
Nathan Ziehnert
shared this idea
3 comments
-
Sean League
commented
As we have a password policy that the password expires every 90-day. We should also use a non-interactive account to prevent someone from having domain admin privileges if the password becomes compromised.
Our 90-day password policy comes from the FBI, CJIS policy.
-
Gary Cook
commented
This is needed for pushing Software to Domain Controllers when a Microsoft recommended multi tier Security model is in place.
-
George Simos
commented
I have been requesting this feature and advocating about it before the release of System Center Configuration Manager 2012 when I was an MVP for the product (2009-2011).
It is the most secure way to provide administrative access to endpoints and servers because the msa/gmsa accounts cannot be compromised easily and most of all they have automatic password management. Sure there will be some kerberos work to be done from the admin part but I think that the outcome of a more secure SCCM environment is a great reward.