Configuration Manager 中使用的帐户Accounts used in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

使用以下信息来标识 Configuration Manager 中使用的 Windows 组、帐户和 SQL 对象及其使用方式和任何要求。Use the following information to identify the Windows groups, accounts, and SQL objects that are used in Configuration Manager, how they are used, and any requirements.

Configuration Manager 创建和使用的 Windows 组Windows groups that Configuration Manager creates and uses

Configuration Manager 会自动创建并在许多情况下自动维护以下 Windows 组:Configuration Manager automatically creates, and in many cases automatically maintains, the following Windows groups:

备注

当 Configuration Manager 在作为域成员的计算机上创建组时,该组为本地安全组。When Configuration Manager creates a group on a computer that's a domain member, the group is a local security group. 如果计算机是域控制器,则该组是域本地组。If the computer is a domain controller, the group is a domain local group. 此类组在域中的所有域控制器之间共享。This type of group is shared among all domain controllers in the domain.

Configuration Manager_CollectedFilesAccessConfiguration Manager_CollectedFilesAccess

Configuration Manager 使用此组来授予查看软件清单所收集的文件的访问权限。Configuration Manager uses this group to grant access to view files collected by software inventory.

有关详细信息,请参阅软件清单简介For more information, see Introduction to software inventory.

类型和位置Type and location

此组是在主站点服务器上创建的本地安全组。This group is a local security group created on the primary site server.

卸载站点时,不会自动删除此组。When you uninstall a site, this group isn't automatically removed. 卸载站点后需手动删除。Manually delete it after uninstalling a site.

MembershipMembership

Configuration Manager 自动管理组成员身份。Configuration Manager automatically manages the group membership. 成员身份管理用户,这些管理用户被授予对分配的安全角色中“集合” 安全对象的“查看收集的文件” 权限。Membership includes administrative users that are granted the View Collected Files permission to the Collection securable object from an assigned security role.

权限Permissions

默认情况下,该组对站点服务器上的以下文件夹具有“读取”权限:C:\Program Files\Microsoft Configuration Manager\sinv.box\FileColBy default, this group has Read permission to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\sinv.box\FileCol

Configuration Manager_DViewAccessConfiguration Manager_DViewAccess

此组是由 Configuration Manager 在子主站点的站点数据库服务器或数据库副本服务器上创建的本地安全组。This group is a local security group that Configuration Manager creates on the site database server or database replica server for a child primary site. 使用分布式视图在层次结构中的站点之间进行数据库复制时,站点会创建它。The site creates it when you use distributed views for database replication between sites in a hierarchy. 它包含管理中心站点的站点服务器和 SQL Server 计算机帐户。It contains the site server and SQL Server computer accounts of the central administration site.

有关详细信息,请参阅站点间数据传输For more information, see Data transfers between sites.

Configuration Manager 远程控制用户Configuration Manager Remote Control Users

Configuration Manager 远程工具使用此组来存储在“允许的查看者”列表中设置的帐户和组。Configuration Manager remote tools use this group to store the accounts and groups that you set up in the Permitted Viewers list. 该站点将此列表分配给每个客户端。The site assigns this list to each client.

有关详细信息,请参阅远程控制简介For more information, see Introduction to remote control.

类型和位置Type and location

此组是在客户端接收启用远程工具的策略时在 Configuration Manager 客户端上创建的本地安全组。This group is a local security group created on the Configuration Manager client when the client receives a policy that enables remote tools.

为客户端禁用远程工具后,不会自动删除此组。After you disable remote tools for a client, this group isn't automatically removed. 禁用远程工具后需手动删除。Manually delete it after disabling remote tools.

MembershipMembership

默认情况下,此组中没有成员。By default, there are no members in this group. 将用户添加到“允许的查看者”列表时,会将这些用户自动添加到此组中。When you add users to the Permitted Viewers list, they're automatically added to this group.

使用“允许的查看者”列表来管理此组的成员身份,而不是将用户或组直接添加到此组。Use the Permitted Viewers list to manage the membership of this group instead of adding users or groups directly to this group.

除了作为允许的查看者外,管理用户还必须具有“集合”对象的“远程控制”权限。In addition to being a permitted viewer, an administrative user must have the Remote Control permission to the Collection object. 使用“远程工具操作人员”安全角色分配此权限。Assign this permission by using the Remote Tools Operator security role.

权限Permissions

默认情况下,此组无权访问计算机上的任何位置。By default, this group doesn't have permissions to any locations on the computer. 它仅用于保留“允许的查看者”列表。It's used only to hold the Permitted Viewers list.

SMS 管理员SMS Admins

Configuration Manager 使用此组通过 WMI 授予对 SMS 提供程序的访问权限。Configuration Manager uses this group to grant access to the SMS Provider through WMI. 需要 SMS 提供程序的访问权限才能在 Configuration Manager 控制台中查看和更改对象。Access to the SMS Provider is required to view and change objects in the Configuration Manager console.

备注

管理用户的基于角色的管理配置确定他们在使用 Configuration Manager 控制台时可查看和管理哪些对象。The role-based administration configuration of an administrative user determines which objects they can view and manage when using the Configuration Manager console.

有关详细信息,请参阅规划 SMS 提供程序For more information, see Plan for the SMS Provider.

类型和位置Type and location

此组是在具有 SMS 提供程序的每台计算机上创建的本地安全组。This group is a local security group created on each computer that has an SMS Provider.

卸载站点时,不会自动删除此组。When you uninstall a site, this group isn't automatically removed. 卸载站点后需手动删除。Manually delete it after uninstalling a site.

MembershipMembership

Configuration Manager 自动管理组成员身份。Configuration Manager automatically manages the group membership. 默认情况下,层次结构中的每个管理用户和站点服务器计算机帐户都是站点中每个 SMS 提供程序计算机上的“SMS 管理员”组的成员。By default, each administrative user in a hierarchy and the site server computer account are members of the SMS Admins group on each SMS Provider computer in a site.

权限Permissions

可在“WMI 控件”MMC 管理单元中查看 SMS 管理员组权限。You can view the rights and permissions for the SMS Admins group in the WMI Control MMC snap-in. 默认情况下,授予该组对 Root\SMSWMI 命名空间“启用帐户”和“远程启用”的权限 。By default, this group is granted Enable Account and Remote Enable on the Root\SMS WMI namespace. 经过身份验证的用户具有执行方法提供程序写入启用帐户权限。Authenticated users have Execute Methods, Provider Write, and Enable Account.

使用远程 Configuration Manager 控制台时,请在站点服务器计算机和 SMS 提供程序上配置“远程激活”DCOM 权限。When you use a remote Configuration Manager console, configure Remote Activation DCOM permissions on both the site server computer and the SMS Provider. 将这些权限授予“SMS 管理员”组。Grant these rights to the SMS Admins group. 此操作简化了管理,而不是直接向用户或组授予这些权限。This action simplifies administration instead of granting these rights directly to users or groups. 有关详细信息,请参阅为远程 Configuration Manager 控制台配置 DCOM 权限For more information, see Configure DCOM permissions for remote Configuration Manager consoles.

SMS_SiteSystemToSiteServerConnection_MP_<sitecode>SMS_SiteSystemToSiteServerConnection_MP_<sitecode>

远离站点服务器的管理点使用此组来连接到站点数据库。Management points that are remote from the site server use this group to connect to the site database. 此组向管理点提供对站点服务器上的收件箱文件夹和站点数据库的访问权限。This group provides a management point access to the inbox folders on the site server and the site database.

类型和位置Type and location

此组是在具有 SMS 提供程序的每台计算机上创建的本地安全组。This group is a local security group created on each computer that has an SMS Provider.

卸载站点时,不会自动删除此组。When you uninstall a site, this group isn't automatically removed. 卸载站点后需手动删除。Manually delete it after uninstalling a site.

MembershipMembership

Configuration Manager 自动管理组成员身份。Configuration Manager automatically manages the group membership. 默认情况下,成员身份包括具有站点管理点的远程计算机的计算机帐户。By default, membership includes the computer accounts of remote computers that have a management point for the site.

权限Permissions

默认情况下,该组对站点服务器上的以下文件夹具有“读取”、“读取和执行”以及“列出文件夹内容”权限:C:\Program Files\Microsoft Configuration Manager\inboxesBy default, this group has Read, Read & execute, and List folder contents permission to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes. 此组对管理点向其中写入客户端数据的“Write”下的子文件夹具有额外的“inboxes”权限 。This group has the additional permission of Write to subfolders below inboxes, to which the management point writes client data.

SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>

远程 SMS 提供程序计算机使用此组来连接到站点服务器。Remote SMS Provider computers use this group to connect to the site server.

类型和位置Type and location

此组是在站点服务器上创建的本地安全组。This group is a local security group created on the site server.

卸载站点时,不会自动删除此组。When you uninstall a site, this group isn't automatically removed. 卸载站点后需手动删除。Manually delete it after uninstalling a site.

MembershipMembership

Configuration Manager 自动管理组成员身份。Configuration Manager automatically manages the group membership. 默认情况下,成员资格包括计算机帐户或域用户帐户。By default, membership includes the computer account or a domain user account. 它使用此帐户从每个远程 SMS 提供程序连接到站点服务器。It uses this account to connect to the site server from each remote SMS Provider.

权限Permissions

默认情况下,该组对站点服务器上的以下文件夹具有“读取”、“读取和执行”以及“列出文件夹内容”权限:C:\Program Files\Microsoft Configuration Manager\inboxesBy default, this group has Read, Read & execute, and List folder contents permission to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes. 该组具有“写入”和“修改”到收件箱下方子文件夹的附加权限 。This group has the additional permissions of Write and Modify to subfolders below the inboxes. SMS 提供程序需要访问这些文件夹。The SMS Provider requires access to these folders.

该组还对 C:\Program Files\Microsoft Configuration Manager\OSD\Bin 下的站点服务器上的子文件夹具有“读取”权限。This group also has Read permission to the subfolders on the site server below C:\Program Files\Microsoft Configuration Manager\OSD\Bin.

它还具有 C:\Program Files\Microsoft Configuration Manager\OSD\boot 下面的子文件夹的以下权限:It also has the following permissions to the subfolders below C:\Program Files\Microsoft Configuration Manager\OSD\boot:

  • 读取Read
  • 读取和执行Read & execute
  • 列出文件夹内容List folder contents
  • 写入Write
  • 修改Modify

SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>

Configuration Manager 远程站点系统计算机上的文件分派管理器使用此组来连接到站点服务器。The file dispatch manager component on Configuration Manager remote site system computers uses this group to connect to the site server.

类型和位置Type and location

此组是在站点服务器上创建的本地安全组。This group is a local security group created on the site server.

卸载站点时,不会自动删除此组。When you uninstall a site, this group isn't automatically removed. 卸载站点后需手动删除。Manually delete it after uninstalling a site.

MembershipMembership

Configuration Manager 自动管理组成员身份。Configuration Manager automatically manages the group membership. 默认情况下,成员资格包括计算机帐户或域用户帐户。By default, membership includes the computer account or the domain user account. 它使用此帐户从运行文件分派管理器的每个远程站点系统连接到站点服务器。It uses this account to connect to the site server from each remote site system that runs the file dispatch manager.

权限Permissions

默认情况下,该组对站点服务器上的以下文件夹及其子文件夹具有“读取”、“读取和执行”以及“列出文件夹内容”权限:C:\Program Files\Microsoft Configuration Manager\inboxesBy default, this group has Read, Read & execute, and List folder contents permission to the following folder and its subfolders on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes.

该组对站点服务器上的以下文件夹具有“写入”和“修改”附加权限:C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.boxThis group has the additional permissions of Write and Modify to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box.

SMS_SiteToSiteConnection_<sitecode>SMS_SiteToSiteConnection_<sitecode>

Configuration Manager 使用此组在层次结构中的站点之间实现基于文件的复制。Configuration Manager uses this group to enable file-based replication between sites in a hierarchy. 对于将文件直接传输到此站点的每个远程站点,此组包含设为“文件复制帐户”的帐户。For each remote site that directly transfers files to this site, this group has accounts set up as a File Replication Account.

类型和位置Type and location

此组是在站点服务器上创建的本地安全组。This group is a local security group created on the site server.

MembershipMembership

安装新站点作为另一个站点的子站点时,Configuration Manager 会自动将新站点的计算机帐户添加到父站点服务器上的组。When you install a new site as a child of another site, Configuration Manager automatically adds the computer account of the new site server to this group on the parent site server. Configuration Manager 还会将父站点计算机帐户添加到新站点服务器上的组中。Configuration Manager also adds the parent site's computer account to the group on the new site server. 如果为基于文件的传输指定另一个帐户,请将此帐户添加到目标站点服务器上的此组。If you specify another account for file-based transfers, add that account to this group on the destination site server.

卸载站点时,不会自动删除此组。When you uninstall a site, this group isn't automatically removed. 卸载站点后需手动删除。Manually delete it after uninstalling a site.

权限Permissions

默认情况下,此组具有对以下文件夹的“完全控制”权限:C:\Program Files\Microsoft Configuration Manager\inboxes\despoolr.box\receiveBy default, this group has Full control to the following folder: C:\Program Files\Microsoft Configuration Manager\inboxes\despoolr.box\receive.

Configuration Manager 使用的帐户Accounts that Configuration Manager uses

可以为 Configuration Manager 设置下列帐户。You can set up the following accounts for Configuration Manager.

提示

不要在 Configuration Manager 控制台中指定的帐户的密码中使用百分号字符 (%)。Don't use the percentage character (%) in the password for accounts that you specify in the Configuration Manager console. 此帐户将无法进行身份验证。The account will fail to authenticate.

Active Directory 组发现帐户Active Directory group discovery account

该站点使用“Active Directory 组发现帐户”从指定的 Active Directory 域服务中的位置发现以下对象:The site uses the Active Directory group discovery account to discover the following objects from the locations in Active Directory Domain Services that you specify:

  • 本地、全局和通用安全组Local, global, and universal security groups
  • 这些组内的成员资格The membership within these groups
  • 分发组内的成员资格The membership within distribution groups
    • 不会以组资源的形式发现通讯组Distribution groups aren't discovered as group resources

此帐户可以是运行发现的站点服务器的计算机帐户,或者是 Windows 用户帐户。This account can be a computer account of the site server that runs discovery, or a Windows user account. 它必须对为发现指定的 Active Directory 位置具有“读取”访问权限。It must have Read access permission to the Active Directory locations that you specify for discovery.

有关详细信息,请参阅 Active Directory 组发现For more information, see Active Directory group discovery.

Active Directory 系统发现帐户Active Directory system discovery account

该站点使用“Active Directory 系统发现帐户”从指定的 Active Directory 域服务中的位置发现计算机。The site uses the Active Directory system discovery account to discover computers from the locations in Active Directory Domain Services that you specify.

此帐户可以是运行发现的站点服务器的计算机帐户,或者是 Windows 用户帐户。This account can be a computer account of the site server that runs discovery, or a Windows user account. 它必须对为发现指定的 Active Directory 位置具有“读取”访问权限。It must have Read access permission to the Active Directory locations that you specify for discovery.

有关详细信息,请参阅 Active Directory 系统发现For more information, see Active Directory system discovery.

Active Directory 用户发现帐户Active Directory user discovery account

该站点使用“Active Directory 系统发现帐户”从指定的 Active Directory 域服务中的位置发现用户帐户。The site uses the Active Directory user discovery account to discover user accounts from the locations in Active Directory Domain Services that you specify.

此帐户可以是运行发现的站点服务器的计算机帐户,或者是 Windows 用户帐户。This account can be a computer account of the site server that runs discovery, or a Windows user account. 它必须对为发现指定的 Active Directory 位置具有“读取”访问权限。It must have Read access permission to the Active Directory locations that you specify for discovery.

有关详细信息,请参阅 Active Directory 用户发现For more information, see Active Directory user discovery.

Active Directory 林帐户Active Directory forest account

该站点使用“Active Directory 林帐户”发现 Active Directory 林中的网络基础结构。The site uses the Active Directory forest account to discover network infrastructure from Active Directory forests. 管理中心站点和主站点也用它来将站点数据发布到林的 Active Directory 域服务。Central administration sites and primary sites also use it to publish site data to Active Directory Domain Services for a forest.

备注

辅助站点始终使用辅助站点服务器计算机帐户来发布到 Active Directory。Secondary sites always use the secondary site server computer account to publish to Active Directory.

要发现和发布到不受信任的林,Active Directory 林帐户必须是全局帐户。To discover and publish to untrusted forests, the Active Directory forest account must be a global account. 如果不使用站点服务器的计算机帐户,则只能选择全局帐户。If you don't use the computer account of the site server, you can select only a global account.

此帐户必须对要在其中发现网络基础结构的每个 Active Directory 林具有“读取” 权限。This account must have Read permissions to each Active Directory forest where you want to discover network infrastructure.

此帐户必须对要在其中发布站点数据的每个 Active Directory 林中的“系统管理”容器及其所有子对象具有“完全控制”权限 。This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data. 有关详细信息,请参阅为站点发布准备 Active DirectoryFor more information, see Prepare Active Directory for site publishing.

有关详细信息,请参阅 Active Directory 林发现For more information, see Active Directory forest discovery.

证书注册点帐户Certificate registration point account

证书注册点使用“证书注册点帐户”连接到 Configuration Manager 数据库。The certificate registration point uses the Certificate registration point account to connect to the Configuration Manager database. 它默认使用其计算机帐户,但可以改为配置用户帐户。It uses its computer account by default, but you can configure a user account instead. 当证书注册点位于站点服务器的不受信任域中时,必须指定用户帐户。When the certificate registration point is in an untrusted domain from the site server, you must specify a user account. 此帐户只需要站点数据库的“读取”权限,因为写入任务由状态消息系统处理。This account requires only Read access to the site database, because the state message system handles write tasks.

有关详细信息,请参阅证书配置文件简介For more information, see Introduction to certificate profiles.

捕获 OS 映像帐户Capture OS image account

捕获 OS 映像时,Configuration Manager 使用“捕获 OS 映像帐户”访问存储捕获映像的文件夹。When you capture an OS image, Configuration Manager uses the Capture OS image account to access the folder where you store captured images. 如果将“捕获 OS 映像”步骤添加到任务序列,则需要此帐户。If you add the Capture OS Image step to a task sequence, this account is required.

该帐户必须在存储捕获图像的网络共享上具有“读取”和“写入”权限 。The account must have Read and Write permissions on the network share where you store captured images.

如果更改 Windows 帐户的密码,请使用新密码更新任务序列。If you change the password for the account in Windows, update the task sequence with the new password. Configuration Manager 客户端在下次下载客户端策略时接收新密码。The Configuration Manager client receives the new password when it next downloads the client policy.

如果需要使用此帐户,请创建一个域用户帐户。If you need to use this account, create one domain user account. 授予它访问所需网络资源的最小权限,并将其用于所有捕获任务序列。Grant it minimal permissions to access the required network resources, and use it for all capture task sequences.

重要

请勿向此帐户分配交互式登录权限。Don't assign interactive sign-in permissions to this account.

请勿将网络访问帐户用于此帐户。Don't use the network access account for this account.

有关详细信息,请参阅创建用于捕获 OS 的任务序列For more information, see Create a task sequence to capture an OS.

客户端请求安装帐户Client push installation account

使用客户端请求安装方法部署客户端时,站点使用“客户端请求安装帐户”连接到计算机并安装 Configuration Manager 客户端软件。When you deploy clients by using the client push installation method, the site uses the Client push installation account to connect to computers and install the Configuration Manager client software. 如果未指定此帐户,站点服务器会尝试使用其计算机帐户。If you don't specify this account, the site server tries to use its computer account.

该帐户必须是目标客户端计算机上本地“管理员”组的成员。This account must be a member of the local Administrators group on the target client computers. 此帐户不需要“域管理员”权限。This account doesn't require Domain Admin rights.

你可以指定多个客户端请求安装帐户。You can specify more than one client push installation account. Configuration Manager 依次尝试每一个,直到成功。Configuration Manager tries each one in turn until one succeeds.

提示

如果你有大型的 Active Directory 环境并需要更改此帐户,请使用以下过程更有效地协调此帐户更新:If you have a large Active Directory environment and need to change this account, use the following process to more effectively coordinate this account update:

  1. 使用其他名称创建一个新帐户Create a new account with a different name
  2. 将新帐户添加到 Configuration Manager 中的客户端请求安装帐户列表中Add the new account to the list of client push installation accounts in Configuration Manager
  3. 为 Active Directory 域服务复制新帐户留出足够的时间Allow sufficient time for Active Directory Domain Services to replicate the new account
  4. 然后从 Configuration Manager 和 Active Directory 域服务中删除旧帐户Then remove the old account from Configuration Manager and Active Directory Domain Services

重要

请勿向此帐户授予本地登录的权限。Don't grant this account the right to sign in locally.

有关详细信息,请参阅客户端请求安装For more information, see Client push installation.

注册点连接帐户Enrollment point connection account

注册点使用“注册点连接帐户”连接到 Configuration Manager 站点数据库。The enrollment point uses the Enrollment point connection account to connect to the Configuration Manager site database. 它默认使用其计算机帐户,但可以改为配置用户帐户。It uses its computer account by default, but you can configure a user account instead. 当注册点位于站点服务器的不受信任域中时,必须指定用户帐户。When the enrollment point is in an untrusted domain from the site server, you must specify a user account. 此帐户需要站点数据库的“读取”和“写入”权限。This account requires Read and Write access to the site database.

有关详细信息,请参阅为本地 MDM 安装站点系统角色For more information, see Install site system roles for on-premises MDM.

Exchange Server 连接帐户Exchange Server connection account

站点服务器使用“Exchange Server 连接帐户”连接到指定的 Exchange 服务器。The site server uses the Exchange Server connection account to connect to the specified Exchange Server. 它使用此连接来查找和管理连接到 Exchange Server 的移动设备。It uses this connection to find and manage mobile devices that connect to Exchange Server. 此帐户需要 Exchange PowerShell cmdlet 以提供对 Exchange Server 计算机的所需权限。This account requires Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. 有关 cmdlet 的详细信息,请参阅安装和配置 Exchange 连接器For more information about the cmdlets, see Install and configure the Exchange connector.

管理点连接帐户Management point connection account

管理点使用“管理点连接帐户”连接到 Configuration Manager 站点数据库。The management point uses the Management point connection account to connect to the Configuration Manager site database. 它使用此连接来发送和检索客户端的信息。It uses this connection to send and retrieve information for clients. 管理点默认使用其计算机帐户,但可以改为配置用户帐户。The management point uses its computer account by default, but you can configure a user account instead. 当管理点位于站点服务器的不受信任域中时,必须指定用户帐户。When the management point is in an untrusted domain from the site server, you must specify a user account.

在运行 Microsoft SQL Server 的计算机上将此帐户创建为低权限本地帐户。Create the account as a low-rights, local account on the computer that runs Microsoft SQL Server.

重要

请勿向此帐户授予交互式登录的权限。Don't grant interactive sign-in rights to this account.

多播连接帐户Multicast connection account

启用多播的分发点使用“多播连接帐户”从站点数据库中读取信息。Multicast-enabled distribution points use the Multicast connection account to read information from the site database. 默认情况下,服务器使用其计算机帐户,但可以改为配置用户帐户。The server uses its computer account by default, but you can configure a user account instead. 当站点数据库在不受信任的林中时,必须指定用户帐户。When the site database is in an untrusted forest, you must specify a user account. 例如,数据中心具有非站点服务器和站点数据库的林中的外围网络,则可以使用此帐户从站点数据库中读取多播信息。For example, if your data center has a perimeter network in a forest other than the site server and site database, use this account to read the multicast information from the site database.

如果需要此帐户,请在运行 Microsoft SQL Server 的计算机上将此帐户创建为低权限本地帐户。If you need this account, create it as a low-rights, local account on the computer that runs Microsoft SQL Server.

重要

请勿向此帐户授予交互式登录的权限。Don't grant interactive sign-in rights to this account.

有关详细信息,请参阅使用多播通过网络部署 WindowsFor more information, see Use multicast to deploy Windows over the network.

网络访问帐户Network access account

当客户端计算机无法使用其本地计算机帐户访问分发点上的内容时,它们将使用“网络访问帐户”。Client computers use the network access account when they can't use their local computer account to access content on distribution points. 它主要适用于来自不受信任的域中的工作组客户端和计算机。It mostly applies to workgroup clients and computers from untrusted domains. 当安装 OS 的计算机在域上还没有计算机帐户时,也可能会在 OS 部署过程中使用此帐户。This account is also used during OS deployment, when the computer that's installing the OS doesn't yet have a computer account on the domain.

重要

决不会将网络访问帐户用作安全性上下文来运行程序、安装软件更新或运行任务序列。The network access account is never used as the security context to run programs, install software updates, or run task sequences. 它仅用于访问网络上的资源。It's used only for accessing resources on the network.

Configuration Manager 客户端首先尝试使用其计算机帐户下载内容。A Configuration Manager client first tries to use its computer account to download the content. 如果失败,则会自动尝试网络访问帐户。If it fails, it then automatically tries the network access account.

如果你为站点配置 HTTPS 或增强型 HTTP,工作组或已建立 Azure AD 联接的客户端可以安全地从分发点访问内容,而无需网络访问帐户。If you configure the site for HTTPS or Enhanced HTTP, a workgroup or Azure AD-joined client can securely access content from distribution points without the need for a network access account. 此行为包括 OS 部署方案,其中任务序列从启动媒体、PXE 或软件中心运行。This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or Software Center. 有关详细信息,请参阅客户端到管理点的通信For more information, see Client to management point communication.

备注

如果启用“增强型 HTTP”以不需要网络访问帐户,则分发点需要运行 Windows Server 2012 或更高版本。If you enable Enhanced HTTP to not require the network access account, the distribution point needs to be running Windows Server 2012 or later.

在启用此功能之前,请将客户端至少升级到 1806 版。Upgrade clients to at least version 1806 before enabling this functionality. 如果仅允许“增强型 HTTP”连接,则较旧的客户端无法使用此方法进行身份验证,因此无法从分发点下载客户端升级包。If you only allow Enhanced HTTP connections, older clients can't authenticate using this method, so can't download the client upgrade package from a distribution point.

权限Permissions

授予此帐户对内容的最低合适权限,客户端需要此权限来访问软件。Grant this account the minimum appropriate permissions on the content that the client requires to access the software. 在该分发点上,帐户必须具有“从网络访问此计算机” 权限。The account must have the Access this computer from the network right on the distribution point. 每个站点最多可以配置 10 个网络访问帐户。You can configure up to 10 network access accounts per site.

在任何域中创建将提供资源的所需访问权限的帐户。Create the account in any domain that provides the necessary access to resources. 网络访问帐户必须始终包含一个域名。The network access account must always include a domain name. 此帐户不支持传递安全性。Pass-through security isn't supported for this account. 如果在多个域中具有分发点,请在受信任的域中创建帐户。If you have distribution points in multiple domains, create the account in a trusted domain.

提示

为了避免帐户锁定,请不要对现有网络访问帐户更改密码。To avoid account lockouts, don't change the password on an existing network access account. 而是在 Configuration Manager 中创建新帐户并设置此新帐户。Instead, create a new account and set up the new account in Configuration Manager. 在经过足够的时间让所有客户端接收新帐户详细信息之后,请从网络共享文件夹中移除旧帐户并删除该帐户。When sufficient time has passed for all clients to have received the new account details, remove the old account from the network shared folders and delete the account.

重要

请勿向此帐户授予交互式登录的权限。Don't grant interactive sign-in rights to this account.

请勿授予此帐户将计算机加入到域的权限。Don't grant this account the right to join computers to the domain. 如果在任务序列过程中必须将计算机加入到域中,请使用任务序列域加入帐户If you must join computers to the domain during a task sequence, use the Task sequence domain join account.

配置网络访问帐户Configure the network access account

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“站点配置”,然后选择“站点”节点。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. 然后选择站点。Then select the site.

  2. 在功能区的“设置”组中,选择“配置站点组件”,再选择“软件分发” 。On the Settings group of the ribbon, select Configure Site Components, and choose Software Distribution.

  3. 选择“网络访问帐户”选项卡。设置一个或多个帐户,然后选择“确定”。Choose the Network access account tab. Set up one or more accounts, and then choose OK.

包访问帐户Package access account

利用“包访问帐户”,可以设置 NTFS 权限,该权限用于指定可以访问分发点上的包内容的用户和用户组。A Package access account lets you set NTFS permissions to specify the users and user groups that can access package content on distribution points. 默认情况下,Configuration Manager 仅向通用访问帐户“用户”和“管理员”授予访问权限 。By default, Configuration Manager grants access only to the generic access accounts User and Administrator. 可以通过使用其他的 Windows 帐户或组来控制客户端计算机的访问权限。You can control access for client computers by using additional Windows accounts or groups. 移动设备始终会匿名检索包内容,所以这些设备不使用包访问帐户。Mobile devices always retrieve package content anonymously, so they don't use a package access account.

默认情况下,当 Configuration Manager 将内容文件复制到分发点时,它会授予对本地“用户”组的“读取”权限以及对本地“管理”组的“完全控制”权限 。By default, when Configuration Manager copies the content files to a distribution point, it grants Read access to the local Users group, and Full Control to the local Administrators group. 所需的实际权限取决于包。The actual permissions required depend on the package. 如果你的客户端在工作组或不受信任的林中,则那些客户端会使用网络访问帐户访问包内容。If you have clients in workgroups or in untrusted forests, those clients use the network access account to access the package content. 请使用定义的包访问帐户来确保网络访问帐户具有对包的权限。Make sure that the network access account has permissions to the package by using the defined package access accounts.

在域中使用可以访问分发点的帐户。Use accounts in a domain that can access the distribution points. 如果在创建包之后创建或修改帐户,则必须重新分发包。If you create or modify the account after you create the package, you must redistribute the package. 更新包不会更改对包的 NTFS 权限。Updating the package doesn't change the NTFS permissions on the package.

不必将网络访问帐户添加为包访问帐户,因为“用户”组的成员身份会自动添加它。You don't have to add the network access account as a package access account, because membership of the Users group adds it automatically. 将包访问帐户限制为网络访问帐户不会阻止客户端访问包。Restricting the package access account to only the network access account doesn't prevent clients from accessing the package.

管理包访问帐户Manage package access accounts

  1. 在 Configuration Manager 控制台中,选择“软件库”。In the Configuration Manager console, choose Software Library.

  2. 在“软件库”工作区中,确定要为其管理访问帐户的内容的类型,并按以下提供的步骤进行操作:In the Software Library workspace, determine the type of content for which you want to manage access accounts, and follow the steps provided:

    • 应用程序:展开“应用程序管理”,选择“应用程序”,然后选择要为其管理访问帐户的应用程序 。Application: Expand Application Management, choose Applications, and then select the application for which to manage access accounts.

    • :展开“应用程序管理”,选择“包”,然后选择要为其管理访问帐户的包 。Package: Expand Application Management, choose Packages, and then select the package for which to manage access accounts.

    • 软件更新部署包:展开“软件更新”,选择“部署包”,然后选择要为其管理访问帐户的部署包 。Software update deployment package: Expand Software Updates, choose Deployment Packages, and then select the deployment package for which to manage access accounts.

    • 驱动程序包:展开“操作系统”,选择“驱动程序包”,然后选择要为其管理访问帐户的驱动程序包 。Driver package: Expand Operating Systems, choose Driver Packages, and then select the driver package for which to manage access accounts.

    • OS 映像:展开“操作系统”,选择“操作系统映像”,然后选择要为其管理访问帐户的操作系统映像 。OS image: Expand Operating Systems, choose Operating System Images, and then select the operating system image for which to manage access accounts.

    • OS 升级包:展开“操作系统”,选择“操作系统升级包”,然后选择要为其管理访问帐户的操作系统升级包 。OS upgrade package: Expand Operating Systems, choose Operating system upgrade packages, and then select the OS upgrade package for which to manage access accounts.

    • 启动映像:展开“操作系统”,选择“启动映像”,然后选择要为其管理访问帐户的启动映像 。Boot image: Expand Operating Systems, choose Boot Images, and then select the boot image for which to manage access accounts.

  3. 右键单击所选对象,然后选择“管理访问帐户”。Right-click the selected object, and then choose Manage Access Accounts.

  4. 在“添加帐户” 对话框中,指定将为其授予内容访问权限的帐户类型,然后指定与帐户关联的访问权限。In the Add Account dialog box, specify the account type that will be granted access to the content, and then specify the access rights associated with the account.

    备注

    为帐户添加用户名且 Configuration Manager 发现具有该名称的本地用户帐户和域用户帐户时,Configuration Manager 将为域用户帐户设置访问权限。When you add a user name for the account, and Configuration Manager finds both a local user account and a domain user account with that name, Configuration Manager sets access rights for the domain user account.

Reporting Services 点帐户Reporting services point account

SQL Server Reporting Services 使用“Reporting Services 点帐户”从站点数据库中检索 Configuration Manager 报表的数据。SQL Server Reporting Services uses the Reporting services point account to retrieve the data for Configuration Manager reports from the site database. 你指定的 Windows 用户帐户和密码经过加密,并存储在 SQL Server Reporting Services 数据库中。The Windows user account and password that you specify are encrypted and stored in the SQL Server Reporting Services database.

备注

指定的帐户在承载 SQL Reporting Services 数据库的计算机上必须具有“本地登录”权限。The account you specify must have Log on locally permissions on the computer hosting the SQL Reporting Services database.

备注

通过将此帐户添加到 Configuration Manager 数据库上的 smsschm_users SQL 数据库角色中,会自动向此帐户授予所有必要的权限。The account is automatically granted all necessary rights by being added to the smsschm_users SQL Database Role on the Configuration Manager database.

有关详细信息,请参阅报表简介For more information, see Introduction to reporting.

远程工具“允许的查看者”帐户Remote tools permitted viewer accounts

你为远程控制指定的“允许的查看者” 帐户是一系列获准在客户端上使用远程工具功能的用户。The accounts that you specify as Permitted Viewers for remote control are a list of users who are allowed to use remote tools functionality on clients.

有关详细信息,请参阅远程控制简介For more information, see Introduction to remote control.

站点安装帐户Site installation account

使用域用户帐户登录运行 Configuration Manager 安装程序的服务器并安装新站点。Use a domain user account to sign in to the server where you run Configuration Manager setup and install a new site.

此帐户要求具有以下权限:This account requires the following rights:

  • 下列服务器上的管理员权限:Administrator on the following servers:

    • 站点服务器The site server
    • 托管站点数据库的每个服务器Each server that hosts the site database
    • 站点的每个 SMS 提供程序实例Each instance of the SMS Provider for the site
  • 托管站点数据库的 SQL Server 实例上的 SysadminSysadmin on the instance of SQL Server that hosts the site database

Configuration Manager 安装程序会自动将此帐户添加到 SMS 管理员组。Configuration Manager setup automatically adds this account to the SMS Admins group.

安装后,此帐户是唯一具有 Configuration Manager 控制台权限的用户。After installation, this account is the only user with rights to the Configuration Manager console. 如果需要删除此帐户,请务必先将其权限添加到其他用户。If you need to remove this account, make sure to add its rights to another user first.

展开独立站点以包含管理中心站点时,此帐户在独立主站点上需要“完全权限管理员”或“基础结构管理员”基于角色的管理权限 。When expanding a standalone site to include a central administration site, this account requires either Full Administrator or Infrastructure Administrator role-based administration rights at the standalone primary site.

站点系统安装帐户Site system installation account

站点服务器使用“站点系统安装帐户”安装、重新安装、卸载和设置站点系统。The site server uses the Site system installation account to install, reinstall, uninstall, and set up site systems. 如果将站点系统设置为要求站点服务器启动到此站点系统的连接,则在安装站点系统和任何角色之后,Configuration Manager 还会使用此帐户从站点系统计算机中提取数据。If you set up the site system to require the site server to initiate connections to this site system, Configuration Manager also uses this account to pull data from the site system after it installs the site system and any roles. 每个站点系统都可能具有不同的安装帐户,但只能设置一个安装帐户来管理该站点系统上的所有角色。Each site system can have a different installation account, but you can set up only one installation account to manage all roles on that site system.

此帐户需要目标站点系统上的本地管理权限。This account requires local administrative permissions on the target site systems. 此外,此帐户必须在目标站点系统的安全策略中指定“从网络访问此计算机”。Additionally, this account must have Access this computer from the network in the security policy on the target site systems.

提示

如果有多个域控制器并且跨域使用这些帐户,请在设置站点系统之前,检查 Active Directory 是否已复制这些帐户。If you have many domain controllers and these accounts are used across domains, before you set up the site system, check that Active Directory has replicated these accounts.

在指定位于要管理的每个站点系统上的本地帐户时,该配置比使用域帐户更安全。When you specify a local account on each site system to be managed, this configuration is more secure than using domain accounts. 它会限制在此帐户受到侵害时攻击者可能造成的损害。It limits the damage that attackers can do if the account is compromised. 但是,域帐户更易于管理。However, domain accounts are easier to manage. 所以需就安全管理和有效管理进行权衡与协调。Consider the trade-off between security and effective administration.

站点系统代理服务器帐户Site system proxy server account

以下站点系统角色使用“站点系统代理服务器帐户”通过需要对访问进行身份验证的代理服务器或防火墙访问 Internet:The following site system roles use the Site system proxy server account to access the internet via a proxy server or firewall that requires authenticated access:

  • 资产智能同步点Asset Intelligence synchronization point
  • Exchange Server 连接器Exchange Server connector
  • 服务连接点Service connection point
  • 软件更新点Software update point

重要

为所需的代理服务器或防火墙指定具有可能最低的权限的帐户。Specify an account that has the least possible permissions for the required proxy server or firewall.

有关详细信息,请参阅代理服务器支持For more information, see Proxy server support.

SMTP 服务器连接帐户SMTP server connection account

当 SMTP 服务器需要对访问进行身份验证时,站点服务器使用“SMTP 服务器连接帐户”来发送电子邮件警报。The site server uses the SMTP server connection account to send email alerts when the SMTP server requires authenticated access.

重要

指定具有可能最低的权限的帐户来发送电子邮件。Specify an account that has the least possible permissions to send emails.

有关详细信息,请参阅使用警报和状态系统For more information, see Use alerts and the status system.

软件更新点连接帐户Software update point connection account

站点服务器将“软件更新点连接帐户”用于下列两项软件更新服务:The site server uses the Software update point connection account for the following two software update services:

  • Windows Server Update Services (WSUS),用于设置诸如产品定义、分类和上游设置等设置。Windows Server Update Services (WSUS), which sets up settings like product definitions, classifications, and upstream settings.

  • WSUS Synchronization Manager,它请求同步到上游 WSUS 服务器或 Microsoft 更新。WSUS Synchronization Manager, which requests synchronization to an upstream WSUS server or Microsoft Update.

站点系统安装帐户可以安装软件更新的组件,但无法在软件更新点上执行特定于软件更新的功能。The site system installation account can install components for software updates, but it can't perform software update-specific functions on the software update point. 如果因为软件更新点在不受信任的林中而无法将站点服务器计算机帐户用于该功能,则除指定站点系统安装帐户之外,还必须指定此帐户。If you can't use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the site system installation account.

此帐户必须是安装 WSUS 的计算机上的本地管理员。This account must be a local administrator on the computer where you install WSUS. 它还必须属于本地“WSUS 管理员”组。It must also be part of the local WSUS Administrators group.

有关详细信息,请参阅规划软件更新For more information, see Plan for software updates.

源站点帐户Source site account

迁移过程使用“源站点帐”来访问源站点的 SMS 提供程序。The migration process uses the Source site account to access the SMS Provider of the source site. 此帐户需要源站点中的站点对象的“读取” 权限来收集迁移作业的数据。This account requires Read permissions to site objects in the source site to gather data for migration jobs.

如果有 Configuration Manager 2007 分发点或具有共置分发点的辅助站点,则在将它们升级到 Configuration Manager(当前分支)分发点时,此帐户还必须具有对“站点”类的“删除”权限 。If you have Configuration Manager 2007 distribution points or secondary sites with colocated distribution points, when you upgrade them to Configuration Manager (current branch) distribution points, this account must also have Delete permissions to the Site class. 此权限是在升级期间从 Configuration Manager 2007 站点成功删除分发点。This permission is to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade.

备注

源站点帐户和源站点数据库帐户均在 Configuration Manager 控制台“管理”工作区的“帐户”的节点中被标识为“迁移管理器” 。Both the source site account and the source site database account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

有关详细信息,请参阅在层次结构之间迁移数据For more information, see Migrate data between hierarchies.

源站点数据库帐户Source site database account

迁移过程使用“源站点数据库帐户”来访问源站点的 SQL Server 数据库。The migration process uses the Source site database account to access the SQL Server database for the source site. 若要从源站点的 SQL Server 数据库中收集数据,源站点数据库帐户必须具有源站点 SQL Server 数据库的“读取”和“执行”权限 。To gather data from the SQL Server database of the source site, the source site database account must have the Read and Execute permissions to the source site's SQL Server database.

如果使用 Configuration Manager(当前分支)计算机帐户,请确保此帐户的所有以下内容都是真的:If you use the Configuration Manager (current branch) computer account, make sure that all the following are true for this account:

  • 它是与 Configuration Manager 2007 站点位于同一域中的“分布式 COM 用户”安全组的成员It's a member of the Distributed COM Users security group in the same domain as the Configuration Manager 2007 site
  • 它是“SMS 管理员”安全组的成员It's a member of the SMS Admins security group
  • 它具有对所有 Configuration Manager 2007 对象的“读取”权限It has the Read permission to all Configuration Manager 2007 objects

备注

源站点帐户和源站点数据库帐户均在 Configuration Manager 控制台“管理”工作区的“帐户”的节点中被标识为“迁移管理器” 。Both the source site account and the source site database account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

有关详细信息,请参阅在层次结构之间迁移数据For more information, see Migrate data between hierarchies.

任务序列域加入帐户Task sequence domain join account

Windows 安装程序使用“任务序列域加入帐户”将新映像的计算机加入域。Windows Setup uses the Task sequence domain join account to join a newly imaged computer to a domain. 加入域或工作组任务序列步骤以及“加入域”选项,需要此帐户。This account is required by the Join Domain or Workgroup task sequence step with the Join a domain option. 也可以使用应用网络设置步骤设置此帐户,但这不是必需的。This account can also be set up with the Apply Network Settings step, but it isn't required.

此帐户需要在目标域中具有“域加入”权限。This account requires the Domain Join right in the target domain.

提示

创建一个具有加入域最低权限权限的域用户帐户,并将其用于所有任务序列。Create one domain user account with the minimal permissions to join the domain, and use it for all task sequences.

重要

请勿向此帐户分配交互式登录权限。Don't assign interactive sign-in permissions to this account.

请勿将网络访问帐户用于此帐户。Don't use the network access account for this account.

任务序列网络文件夹连接帐户Task sequence network folder connection account

任务序列引擎使用“任务序列网络文件夹连接帐户”连接到网络上的共享文件夹。The task sequence engine uses the Task sequence network folder connection account to connect to a shared folder on the network. 连接到网络文件夹任务序列步骤需要此帐户。This account is required by the Connect to Network Folder task sequence step.

此帐户需要具有访问指定共享文件夹的权限。This account requires permissions to access the specified shared folder. 必须是域用户帐户。It must be a domain user account.

提示

创建一个具有访问所需网络资源的最低权限的域用户帐户,并将其用于所有任务序列帐户。Create one domain user account with minimal permissions to access the required network resources, and use it for all task sequences.

重要

请勿向此帐户分配交互式登录权限。Don't assign interactive sign-in permissions to this account.

请勿将网络访问帐户用于此帐户。Don't use the network access account for this account.

任务序列运行方式帐户Task sequence run as account

任务序列引擎使用“任务序列运行方式帐户”来运行具有除本地系统帐户之外的凭据的命令行或 PowerShell 脚本。The task sequence engine uses the Task sequence run as account to run command lines or PowerShell Scripts with credentials other than the Local System account. 运行命令行运行 PowerShell 脚本任务序列步骤需要此帐户,并选择“将此步骤作为以下帐户运行”。This account is required by the Run Command Line and Run PowerShell Script task sequence steps with the option Run this step as the following account chosen.

设置此帐户,使其具有运行在任务序列中指定的命令行所需的最低权限。Set up the account to have the minimum permissions required to run the command line that you specify in the task sequence. 此帐户需要交互式登录权限。The account requires interactive sign-in rights. 它通常需要安装软件和访问网络资源的能力。It usually requires the ability to install software and access network resources. 对于运行 PowerShell 脚本任务,此帐户需要本地管理员权限。For the Run PowerShell Script task, this account requires local administrator permissions.

重要

请勿将网络访问帐户用于此帐户。Don't use the network access account for this account.

切勿将此帐户设为域管理员。Never make the account a domain admin.

切勿为此帐户设置漫游配置文件。Never set up roaming profiles for this account. 任务序列运行时,它会为该帐户下载漫游配置文件。When the task sequence runs, it downloads the roaming profile for the account. 这会导致该配置文件在本地计算机上面临易被访问的风险。This leaves the profile vulnerable to access on the local computer.

要限制此帐户的作用域。Limit the scope of the account. 例如,为每个任务序列创建不同的任务序列运行方式帐户。For example, create different task sequence run as accounts for each task sequence. 然后,如果一个帐户受到侵害,则只会损害该帐户有权访问的客户端计算机。Then if one account is compromised, only the client computers to which that account has access are compromised.

如果命令行需要计算机上的管理权限,请考虑在所有运行任务序列的计算机上为此帐户单独创建一个本地管理员帐户。If the command line requires administrative access on the computer, consider creating a local administrator account solely for this account on all computers that run the task sequence. 不再需要该帐户时请立即将其删除。Delete the account once you no longer need it.

Configuration Manager 在 SQL 中使用的用户对象User objects that Configuration Manager uses in SQL

Configuration Manager 自动在 SQL 中创建和维护以下用户对象。Configuration Manager automatically creates and maintains the following user objects in SQL. 这些对象位于 Configuration Manager 数据库中的 Security/Users 下。These objects are located within the Configuration Manager database under Security/Users.

重要

修改或删除这些对象可能会导致 Configuration Manager 环境中出现严重问题。Modifying or removing these objects may cause drastic issues within a Configuration Manager environment. 建议不要对这些对象进行任何更改。We recommend you do not make any changes to these objects.

smsdbuser_ReadOnlysmsdbuser_ReadOnly

此对象用于在只读上下文中运行查询。This object is used to run queries under the read-only context. 此对象与多个存储过程结合使用。This object is leveraged with several stored procedures.

smsdbuser_ReadWritesmsdbuser_ReadWrite

此对象用于为动态 SQL 语句提供权限。This object is used to provide permissions for dynamic SQL statements.

smsdbuser_ReportSchemasmsdbuser_ReportSchema

此对象用于运行 SQL 报告执行。This object is used to run SQL Reporting Executions. 以下存储过程与此函数结合使用:spSRExecQuery。The following stored procedure is used with this function: spSRExecQuery.

Configuration Manager 在 SQL 中使用的数据库角色Database roles that Configuration Manager uses in SQL

Configuration Manager 自动在 SQL 中创建和维护以下角色对象。Configuration Manager automatically creates and maintains the following role objects in SQL. 这些角色提供对特定存储过程、表、视图和函数的访问权限,用于执行每个角色所需的操作,以便在 Configuration Manager 数据库中检索数据或插入数据。These roles provide access to specific stored procedures, tables, views and functions to perform the needed actions of each role to either retrieve data or insert data to and from the Configuration Manager database. 这些对象位于 Configuration Manager 数据库中的 Security/Roles/Database Roles 下。These objects are located within the Configuration Manager database under Security/Roles/Database Roles.

重要

修改或删除这些对象可能会导致 Configuration Manager 环境中出现严重问题。Modifying or removing these objects may cause drastic issues within a Configuration Manager environment. 请勿更改这些对象。Don't change these objects. 下表仅供参考。The following list is for information purposes only.

smsdbrole_AIToolsmsdbrole_AITool

资产智能批量许可证导入。Asset Intelligence Volume Licenses import. Configuration Manager 根据 RBA 访问权限向用户帐户授予此权限,以便能够导入用于资产智能的批量许可证。Configuration Manager grants this permission to users accounts based on RBA access to be able to import volume license to be used with Asset Intelligence. 完全管理员角色或资产管理员角色可以添加此帐户。This account could be added by a full administrator role or an Asset Manager role.

smsdbrole_AIUSsmsdbrole_AIUS

资产智能更新同步。Asset Intelligence Update Synchronization. Configuration Manager 向托管资产智能同步点的计算机帐户授予帐户访问权限,以便获取资产智能代理数据,并查看待上传的 AI 数据。Configuration Manager grants the computer account that host the Asset Intelligence Synchronization Point account access to get Asset Intelligence proxy data and to view pending AI data for upload.

smsdbrole_AMTSPsmsdbrole_AMTSP

带外管理。Out of Band Management. Configuration Manager AMT 角色使用此角色来检索支持 Intel AMT 的设备上的数据。This role is used by Configuration Manager AMT role to retrieve data on devices that supported Intel AMT.

备注

此角色在更高版本的 Configuration Manager 中是弃用的。This role is deprecated in newer releases of Configuration Manager.

smsdbrole_CRPsmsdbrole_CRP

用于支持简单证书注册协议 (SCEP) 的证书注册点。Certificate registration point to support Simple Certificate Enrollment Protocol (SCEP). Configuration Manager 向站点系统的计算机帐户授予权限,以支持证书注册点来获取对证书签名和续订的 SCEP 支持。Configuration Manager grants permission to the computer account of the site system that supports the Certificate Registration Point for SCEP support for certificate signing and renewal.

smsdbrole_CRPPfxsmsdbrole_CRPPfx

证书注册点 PFX 支持。Certificate Registration Point PFX support. Configuration Manager 向站点系统的计算机帐户授予权限,以支持证书注册点来获取对证书签名和续订的 PFX 支持。Configuration Manager grants permission to the computer account of the site system that supports the Certificate Registration Point configured for PFX support for signing and renewal.

smsdbrole_DMPsmsdbrole_DMP

设备管理点。Device Management Point. Configuration Manager 为具有选项“允许移动设备和 Mac 计算机使用此管理点”(即能够为 MDM 注册设备提供支持)的管理点向计算机帐户授予此权限。Configuration Manager grants this permission to computer account for a Management Point that has the option, "Allow mobile devices and Mac Computer to uses this management point", the ability to provide support for MDM enrolled devices.

smsdbrole_DmpConnectorsmsdbrole_DmpConnector

服务连接点。Service Connection Point. Configuration Manager 向托管服务连接点的计算机帐户授予此权限,以检索和提供遥测数据、管理云服务和检索服务更新。Configuration Manager grants this permission to the computer account that host the Service Connection Point to retrieve and provide telemetry data, manage cloud services, and retrieve service updates.

smsdbrole_DViewAccesssmsdbrole_DViewAccess

分布式视图。Distributed Views. 当在复制链接属性中选择了 SQL Server 分布式视图选项时,Configuration Manager 将此权限授予 CAS 上主站点服务器的计算机帐户。Configuration Manager grants this permission to the computer account of the Primary Site Servers on the CAS when the SQL Server distributed views option is selected in the replication link properties.

smsdbrole_DWSSsmsdbrole_DWSS

数据仓库。Data Warehouse. Configuration Manager 向托管数据仓库角色的计算机帐户授予此权限。Configuration Manager grants this permission to the computer account that host the Data Warehouse role.

smsdbrole_EnrollSvrsmsdbrole_EnrollSvr

注册点。Enrollment Point. Configuration Manager 向托管注册点的计算机帐户授予此权限,以允许通过 MDM 注册设备。Configuration Manager grants this permission to the computer account that host the Enrollment Point to allow for device enrollment via MDM.

smsdbrole_extractsmsdbrole_extract

提供对所有扩展架构视图的访问权限。Provides access to all the extended schema views.

smsdbrole_HMSUsersmsdbrole_HMSUser

层次结构管理器服务。Hierarchy Manager Service. Configuration Manager 向这个帐户授予此权限,以管理层次结构中站点之间的故障转移状态消息和 SQL Server Broker 事务。Configuration Manager grants permissions this account to manage failover state messages and SQL Server Broker transactions between sites within a hierarchy.

备注

默认情况下,smdbrole_WebPortal 角色是此角色的成员。The smdbrole_WebPortal role is a member of this role by default.

smsdbrole_MCSsmsdbrole_MCS

多播服务。Multicast Service. Configuration Manager 向支持多播的分发点的计算机帐户授予此权限。Configuration Manager grants this permission to the computer account of the Distribution Point that supports multicast.

smsdbrole_MPsmsdbrole_MP

管理点。Management Point. Configuration Manager 向托管管理点角色的计算机帐户授予此权限,以为 Configuration Manager 客户端提供支持。Configuration Manager grants this permission to the computer account that host the Management Point role to provide support for the Configuration Manager clients.

smsdbrole_MPMBAMsmsdbrole_MPMBAM

管理点 Microsoft BitLocker 管理和监视。Management Point Microsoft BitLocker Administration and Monitoring. Configuration Manager 向托管管理点的计算机帐户授予此权限,以管理环境的 MBAM。Configuration Manager grants this permission to the computer account that host the Management Point that manages MBAM for an environment.

smsdbrole_MPUserSvcsmsdbrole_MPUserSvc

管理点应用程序请求。Management Point Application Request. Configuration Manager 向托管管理点的计算机帐户授予此权限,以支持基于用户的应用程序请求。Configuration Manager grants this permission to the computer account that host the Management Point to support user-based application requests.

smsdbrole_siteprovidersmsdbrole_siteprovider

SMS 提供程序。SMS Provider. Configuration Manager 将此权限授予托管 SMS 提供程序角色的计算机帐户。Configuration Manager grants this permission to the computer account that host a SMS Provider role.

smsdbrole_siteserversmsdbrole_siteserver

站点服务器。Site Server. Configuration Manager 向托管主站点或 CAS 站点的计算机帐户授予此权限。Configuration Manager grants this permission to the computer account that host the Primary or CAS Site.

smsdbrole_SUPsmsdbrole_SUP

软件更新点。Software Update Point. Configuration Manager 向托管软件更新点的计算机帐户授予此权限,以处理第三方更新。Configuration Manager grants this permission to the computer account that host the Software Update Point for working with Third party updates.

smsdbrole_WebPortalsmsdbrole_WebPortal

应用程序目录网站点。Application Catalog Web Site Point. Configuration Manager 向托管应用程序目录网站点的计算机帐户授予此权限,以提供基于用户的应用程序部署。Configuration Manager grants permission to the computer account that host the Application Catalog Web Site Point to provide user based application deployment.

smsschm_userssmsschm_users

用户报告访问。User Reporting access. Configuration Manager 向用于 Reporting Services 点帐户的帐户授予访问权限,以允许访问 SMS 报告视图来显示 Configuration Manager 报告数据。Configuration Manager grants access to the account used for the Reporting Services point account to allow access to the SMS reporting views to display the Configuration Manager reporting data. 使用 RBA 时,这些数据会进一步受到限制。The data is further restricted with the use of RBA.

提升的权限Elevated permissions

Configuration Manager 要求一些帐户必须有提升的权限,才能执行正在进行的操作。Configuration Manager requires some accounts to have elevated permissions for on-going operations. 有关示例,请参阅安装主站点的先决条件For example, see Prerequisites for installing a primary site. 下面的列表总结了这些权限以及需要它们的原因。The following list summarizes these permissions and the reasons why they're needed.

  • 主站点服务器和管理中心站点服务器的计算机帐户需要:The computer account of the primary site server and central administration site server requires:

    • 所有站点系统服务器上的本地管理员权限。Local Administrator rights on all site system servers. 此权限用于管理、安装和删除系统服务。This permission is to manage, install, and remove system services. 当你添加或删除角色时,站点服务器还会更新站点系统上的本地组。The site server also updates local groups on the site system when you add or remove roles.

    • 对站点数据库的 SQL 实例的 sysadmin 权限。Sysadmin access to the SQL instance for the site database. 此权限用于为站点配置和管理 SQL。This permission is to configure and manage SQL for the site. Configuration Manager 与 SQL 紧密集成,后者不仅仅是一个数据库。Configuration Manager tightly integrates with SQL, it's not just a database.

  • “完全权限管理员”角色中的用户帐户需要:User accounts in the Full Administrator role require:

    • 所有站点服务器上的本地管理员权限。Local Administrator rights on all site servers. 此权限用于查看、编辑、删除和安装系统服务、注册表项和值以及 WMI 对象。This permission is to view, edit, remove, and install system services, registry keys and values, and WMI objects.

    • 对站点数据库的 SQL 实例的 sysadmin 权限。Sysadmin access to the SQL instance for the site database. 此权限用于在安装或恢复期间安装和更新数据库。This permission is to install and update the database during setup or recovery. 执行 SQL 维护和操作也需要此权限。It's also required for SQL maintenance and operations. 例如,重新索引和更新统计信息。For example, reindexing and updating statistics.

      备注

      一些组织可能会选择删除 sysadmin 权限,并且只在需要时才授予它。Some organizations may choose to remove sysadmin access and only grant it when it is required. 这种行为有时被称为“实时 (JIT) 访问”。This behavior is sometimes referred to as "just-in-time (JIT) access." 在这种情况下,具有“完全权限管理员”角色的用户应仍然有权在 Configuration Manager 数据库中读取、更新和执行存储过程。In this case, users with the Full Administrator role should still have access to read, update, and execute stored procedures on the Configuration Manager database. 借助这些权限,他们可以在没有 sysadmin 完全权限的情况下排查大多数问题。These permissions allow them to troubleshoot most issues without full sysadmin access.