SCCM need to remove the network access account and replace with Use computer account of the configuration manager client

Question

Hello, I have been asked by security to remove the SCCM network access account. We use this account for task sequences and image deployment. I went to the software distribution component properties and unchecked the "specify the account that access network locations" and checked "Use the computer account of the configuration manager client" Then I tested our task sequences and image deployments, they failed. I reviewed logs and it is folder access issues. So I reviewed all the folder permissions that the network access account had access to and I added "Domain Computers" and "Authenticated Users" to those folders with read/execute. Will this fix the problem? I feel like I might be missing something else. Thanks.123.PNG

Answer 1

Weird... I thought if you had enabled Enhanced HTTP, one rarely needed the NAA

https://learn.microsoft.com/en-us/mem/configmgr/osd/plan-design/planning-considerations-for-automating-tasks#enhanced-http

Unless... are your TS' and Image deployments using "Access content directly from a distribution point "? instead of 'download...' ?

But I guess, yes, if you are trying to access content direct from a DP with a TS or Image deployment, you'll need to do what you did, on your DPs.

Answer 2

Accounts used in Configuration Manager lists the following actions that use the network access account:

• Multicast
• The task sequence option "Access content directly from a distribution point..."
• The Request State Store task sequence step. At a guess, this one is the most likely to catch people out.
• The Apply OS Image task sequence step if the "Access content directly from the distribution point" option is configured
• The Task Sequence "Run another program first" setting
• Clients in untrusted domains and cross-forest scenarios