Configuration Manager 中使用的帳戶Accounts used in Configuration Manager

適用於:Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

利用下列資訊可識別 Configuration Manager 中使用的 Windows 群組、帳戶和 SQL 物件、其使用方式,以及任何需求。Use the following information to identify the Windows groups, accounts, and SQL objects that are used in Configuration Manager, how they are used, and any requirements.

Configuration Manager 建立及使用的 Windows 群組Windows groups that Configuration Manager creates and uses

Configuration Manager 會自動建立,而且在許多情況下,會自動維護下列 Windows 群組:Configuration Manager automatically creates, and in many cases automatically maintains, the following Windows groups:

注意

當 Configuration Manager 在屬於網域成員的電腦上建立群組時,群組會是本機安全性群組。When Configuration Manager creates a group on a computer that's a domain member, the group is a local security group. 如果電腦是網域控制站,群組會是網域本機群組。If the computer is a domain controller, the group is a domain local group. 此類型的群組會在網域中所有網域控制站之間共用。This type of group is shared among all domain controllers in the domain.

Configuration Manager_CollectedFilesAccessConfiguration Manager_CollectedFilesAccess

Configuration Manager 會使用此群組來授與軟體清查所收集之檔案的檢視權限。Configuration Manager uses this group to grant access to view files collected by software inventory.

如需詳細資訊,請參閱軟體清查簡介For more information, see Introduction to software inventory.

類型和位置Type and location

此群組為主要網站伺服器上建立的本機安全性群組。This group is a local security group created on the primary site server.

當您解除安裝站台時,此群組不會自動移除。When you uninstall a site, this group isn't automatically removed. 請在解除安裝站台之後手動將它刪除。Manually delete it after uninstalling a site.

成員資格Membership

Configuration Manager 會自動管理群組成員資格。Configuration Manager automatically manages the group membership. 成員資格包括系統管理使用者,會授與對指派的安全性角色中 [集合] 安全物件的 [檢視收集到的檔案] 權限。Membership includes administrative users that are granted the View Collected Files permission to the Collection securable object from an assigned security role.

權限Permissions

根據預設,此群組具有站台伺服器上下列資料夾的 [讀取] 權限:C:\Program Files\Microsoft Configuration Manager\sinv.box\FileColBy default, this group has Read permission to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\sinv.box\FileCol

Configuration Manager_DViewAccessConfiguration Manager_DViewAccess

此群組是 Configuration Manager 在子主要站台的站台資料庫伺服器或資料庫複本伺服器上建立的本機安全性群組。This group is a local security group that Configuration Manager creates on the site database server or database replica server for a child primary site. 當您使用分散式檢視在階層中的站台之間進行資料庫複寫時,站台會建立此群組。The site creates it when you use distributed views for database replication between sites in a hierarchy. 它包含管理中心網站的站台伺服器和 SQL Server 電腦帳戶。It contains the site server and SQL Server computer accounts of the central administration site.

如需詳細資訊,請參閱站台間的資料傳輸For more information, see Data transfers between sites.

Configuration Manager 遠端控制使用者Configuration Manager Remote Control Users

Configuration Manager 遠端工具使用此群組來儲存您在 [允許的檢視者] 清單中設定的帳戶和群組。Configuration Manager remote tools use this group to store the accounts and groups that you set up in the Permitted Viewers list. 站台會將此清單指派給每個用戶端。The site assigns this list to each client.

如需詳細資訊,請參閱遠端控制簡介For more information, see Introduction to remote control.

類型和位置Type and location

此群組是用戶端收到啟用遠端工具的原則時,在 Configuration Manager 用戶端上建立的本機安全性群組。This group is a local security group created on the Configuration Manager client when the client receives a policy that enables remote tools.

停用用戶端的遠端工具後,此群組不會自動移除。After you disable remote tools for a client, this group isn't automatically removed. 請在停用遠端工具之後手動將它刪除。Manually delete it after disabling remote tools.

成員資格Membership

根據預設,此群組中沒有成員。By default, there are no members in this group. 當您將使用者新增至 [允許的檢視者] 清單時,使用者會自動新增至此群組。When you add users to the Permitted Viewers list, they're automatically added to this group.

使用 [允許的檢視者] 清單來管理此群組的成員資格,而不要直接將使用者或群組新增至此群組。Use the Permitted Viewers list to manage the membership of this group instead of adding users or groups directly to this group.

除了作為允許的檢視者之外,系統管理使用者還必須具備集合物件的遠端控制權限。In addition to being a permitted viewer, an administrative user must have the Remote Control permission to the Collection object. 使用 [遠端工具操作員] 安全性角色來指派此權限。Assign this permission by using the Remote Tools Operator security role.

權限Permissions

根據預設,此群組沒有存取電腦上任何位置的權限。By default, this group doesn't have permissions to any locations on the computer. 它只能用來保存 [允許的檢視者] 清單。It's used only to hold the Permitted Viewers list.

SMS AdminsSMS Admins

Configuration Manager 使用此群組來授與透過 WMI 存取 SMS 提供者的權限。Configuration Manager uses this group to grant access to the SMS Provider through WMI. 檢視及變更 Configuration Manager 主控台中的物件都需要存取 SMS 提供者。Access to the SMS Provider is required to view and change objects in the Configuration Manager console.

注意

系統管理使用者之以角色為基礎的系統管理設定可決定他們在使用 Configuration Manager 主控台時可檢視和管理的物件。The role-based administration configuration of an administrative user determines which objects they can view and manage when using the Configuration Manager console.

如需詳細資訊,請參閱規劃 SMS 提供者For more information, see Plan for the SMS Provider.

類型和位置Type and location

此群組是每部擁有 SMS 提供者電腦上建立的本機安全性群組。This group is a local security group created on each computer that has an SMS Provider.

當您解除安裝站台時,此群組不會自動移除。When you uninstall a site, this group isn't automatically removed. 請在解除安裝站台之後手動將它刪除。Manually delete it after uninstalling a site.

成員資格Membership

Configuration Manager 會自動管理群組成員資格。Configuration Manager automatically manages the group membership. 根據預設,階層中的每位系統管理使用者及站台伺服器電腦帳戶,都是站台中每部 SMS 提供者電腦的 SMS Admins 群組成員。By default, each administrative user in a hierarchy and the site server computer account are members of the SMS Admins group on each SMS Provider computer in a site.

權限Permissions

您可以在 [WMI 控制] MMC 嵌入式管理單元中,檢視 SMS Admins 群組的權限。You can view the rights and permissions for the SMS Admins group in the WMI Control MMC snap-in. 預設會將 Root\SMS WMI 命名空間的 [啟用帳戶] 和 [遠端啟用] 權限授與此群組。By default, this group is granted Enable Account and Remote Enable on the Root\SMS WMI namespace. 已驗證的使用者具有 Execute MethodsProvider WriteEnable AccountAuthenticated users have Execute Methods, Provider Write, and Enable Account.

當您使用遠端 Configuration Manager 主控台時,請同時設定站台伺服器電腦和 SMS 提供者的 [遠端啟用] DCOM 權限。When you use a remote Configuration Manager console, configure Remote Activation DCOM permissions on both the site server computer and the SMS Provider. 將這些權限授與 SMS Admins 群組。Grant these rights to the SMS Admins group. 此動作會簡化系統管理,而不是直接將這些權限授與使用者或群組。This action simplifies administration instead of granting these rights directly to users or groups. 如需詳細資訊,請參閱設定遠端 Configuration Manager 主控台的 DCOM 權限For more information, see Configure DCOM permissions for remote Configuration Manager consoles.

SMS_SiteSystemToSiteServerConnection_MP_<站台碼>SMS_SiteSystemToSiteServerConnection_MP_<sitecode>

站台伺服器的遠端管理點使用此群組來連線到站台資料庫。Management points that are remote from the site server use this group to connect to the site database. 此群組提供網站伺服器和網站資料庫上 [收件匣] 資料夾的管理點存取。This group provides a management point access to the inbox folders on the site server and the site database.

類型和位置Type and location

此群組是每部擁有 SMS 提供者電腦上建立的本機安全性群組。This group is a local security group created on each computer that has an SMS Provider.

當您解除安裝站台時,此群組不會自動移除。When you uninstall a site, this group isn't automatically removed. 請在解除安裝站台之後手動將它刪除。Manually delete it after uninstalling a site.

成員資格Membership

Configuration Manager 會自動管理群組成員資格。Configuration Manager automatically manages the group membership. 根據預設,成員資格包括擁有網站管理點之遠端電腦的電腦帳戶。By default, membership includes the computer accounts of remote computers that have a management point for the site.

權限Permissions

根據預設,此群組具有站台伺服器上下列資料夾的 [讀取]、[讀取與執行] 及 [列出資料夾內容] 權限:C:\Program Files\Microsoft Configuration Manager\inboxesBy default, this group has Read, Read & execute, and List folder contents permission to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes. 對於管理點寫入用戶端資料之 [收件匣] 下方的子資料夾,此群組具有額外的 [寫入] 權限。This group has the additional permission of Write to subfolders below inboxes, to which the management point writes client data.

SMS_SiteSystemToSiteServerConnection_SMSProv_<站台碼>SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>

遠端 SMS 提供者電腦使用此群組來連線到站台伺服器。Remote SMS Provider computers use this group to connect to the site server.

類型和位置Type and location

此群組為網站伺服器上建立的本機安全性群組。This group is a local security group created on the site server.

當您解除安裝站台時,此群組不會自動移除。When you uninstall a site, this group isn't automatically removed. 請在解除安裝站台之後手動將它刪除。Manually delete it after uninstalling a site.

成員資格Membership

Configuration Manager 會自動管理群組成員資格。Configuration Manager automatically manages the group membership. 根據預設,成員資格包括電腦帳戶或網域使用者帳戶。By default, membership includes the computer account or a domain user account. 它會使用此帳戶從每個遠端 SMS 提供者連線到站台伺服器。It uses this account to connect to the site server from each remote SMS Provider.

權限Permissions

根據預設,此群組具有站台伺服器上下列資料夾的 [讀取]、[讀取與執行] 及 [列出資料夾內容] 權限:C:\Program Files\Microsoft Configuration Manager\inboxesBy default, this group has Read, Read & execute, and List folder contents permission to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes. 此群組具有 [收件匣] 下方子資料夾的額外 [寫入] 和 [修改] 權限。This group has the additional permissions of Write and Modify to subfolders below the inboxes. SMS 提供者需要存取這些資料夾。The SMS Provider requires access to these folders.

此群組也具有站台伺服器上下列子資料夾的 [讀取] 權限:C:\Program Files\Microsoft Configuration Manager\OSD\BinThis group also has Read permission to the subfolders on the site server below C:\Program Files\Microsoft Configuration Manager\OSD\Bin.

它也具有 C:\Program Files\Microsoft Configuration Manager\OSD\boot 下方子資料夾的下列權限:It also has the following permissions to the subfolders below C:\Program Files\Microsoft Configuration Manager\OSD\boot:

  • 讀取Read
  • 讀取與執行Read & execute
  • 列出資料夾內容List folder contents
  • 寫入Write
  • 修改Modify

SMS_SiteSystemToSiteServerConnection_Stat_<站台碼>SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>

Configuration Manager 遠端站台系統電腦上的檔案發送管理員元件使用此群組來連線到站台伺服器。The file dispatch manager component on Configuration Manager remote site system computers uses this group to connect to the site server.

類型和位置Type and location

此群組為網站伺服器上建立的本機安全性群組。This group is a local security group created on the site server.

當您解除安裝站台時,此群組不會自動移除。When you uninstall a site, this group isn't automatically removed. 請在解除安裝站台之後手動將它刪除。Manually delete it after uninstalling a site.

成員資格Membership

Configuration Manager 會自動管理群組成員資格。Configuration Manager automatically manages the group membership. 根據預設,成員資格包括電腦帳戶或網域使用者帳戶。By default, membership includes the computer account or the domain user account. 它會使用此帳戶從執行檔案發送管理員的每個遠端站台系統連線到站台伺服器。It uses this account to connect to the site server from each remote site system that runs the file dispatch manager.

權限Permissions

根據預設,此群組具有站台伺服器上下列資料夾及其子資料夾的 [讀取]、[讀取與執行] 及 [列出資料夾內容] 權限:C:\Program Files\Microsoft Configuration Manager\inboxesBy default, this group has Read, Read & execute, and List folder contents permission to the following folder and its subfolders on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes.

此群組具有站台伺服器上下列資料夾的額外 [寫入] 和 [修改] 權限:C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.boxThis group has the additional permissions of Write and Modify to the following folder on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box.

SMS_SiteToSiteConnection_<站台碼>SMS_SiteToSiteConnection_<sitecode>

Configuration Manager 會使用此群組在階層中的站台間啟用以檔案為基礎之複寫。Configuration Manager uses this group to enable file-based replication between sites in a hierarchy. 對於直接將檔案傳送到這個站台的每個遠端站台,這個群組具有設定為 [檔案複寫帳戶] 的帳戶。For each remote site that directly transfers files to this site, this group has accounts set up as a File Replication Account.

類型和位置Type and location

此群組為網站伺服器上建立的本機安全性群組。This group is a local security group created on the site server.

成員資格Membership

當您安裝新站台作為另一個站台的子站台時,Configuration Manager 會自動將新站台伺服器的電腦帳戶新增至父站台伺服器上的這個群組。When you install a new site as a child of another site, Configuration Manager automatically adds the computer account of the new site server to this group on the parent site server. Configuration Manager 還會將父站台上的電腦帳戶新增至新站台伺服器上的群組。Configuration Manager also adds the parent site's computer account to the group on the new site server. 如果您指定另一個帳戶進行檔案為基礎的傳輸,請將該帳戶新增至目的地網站伺服器上的此群組。If you specify another account for file-based transfers, add that account to this group on the destination site server.

當您解除安裝站台時,此群組不會自動移除。When you uninstall a site, this group isn't automatically removed. 請在解除安裝站台之後手動將它刪除。Manually delete it after uninstalling a site.

權限Permissions

根據預設,此群組具有下列資料夾的 [完全控制]:C:\Program Files\Microsoft Configuration Manager\inboxes\despoolr.box\receiveBy default, this group has Full control to the following folder: C:\Program Files\Microsoft Configuration Manager\inboxes\despoolr.box\receive.

Configuration Manager 使用的帳戶Accounts that Configuration Manager uses

您可以為 Configuration Manager 設定下列帳戶。You can set up the following accounts for Configuration Manager.

提示

請勿針對您在 Configuration Manager 主控台中指定之帳戶的密碼使用百分比字元 (%)。Don't use the percentage character (%) in the password for accounts that you specify in the Configuration Manager console. 該帳戶將無法進行驗證。The account will fail to authenticate.

Active Directory 群組探索帳戶Active Directory group discovery account

站台使用 Active Directory 群組探索帳戶從您在 Active Directory 網域服務中指定的位置探索下列物件:The site uses the Active Directory group discovery account to discover the following objects from the locations in Active Directory Domain Services that you specify:

  • 本機、全域和萬用安全性群組Local, global, and universal security groups
  • 這些群組內的成員資格The membership within these groups
  • 通訊群組內的成員資格The membership within distribution groups
    • 通訊群組不會當作群組資源來探索Distribution groups aren't discovered as group resources

此帳戶可以是執行探索之網站伺服器的電腦帳戶,或是 Windows 使用者帳戶。This account can be a computer account of the site server that runs discovery, or a Windows user account. 該帳戶必須具有您為探索所指定 Active Directory 位置的讀取權限。It must have Read access permission to the Active Directory locations that you specify for discovery.

如需詳細資訊,請參閱 Active Directory 群組探索For more information, see Active Directory group discovery.

Active Directory 系統探索帳戶Active Directory system discovery account

站台使用 Active Directory 系統探索帳戶,從您在 Active Directory 網域服務中指定的位置來探索電腦。The site uses the Active Directory system discovery account to discover computers from the locations in Active Directory Domain Services that you specify.

此帳戶可以是執行探索之網站伺服器的電腦帳戶,或是 Windows 使用者帳戶。This account can be a computer account of the site server that runs discovery, or a Windows user account. 該帳戶必須具有您為探索所指定 Active Directory 位置的讀取權限。It must have Read access permission to the Active Directory locations that you specify for discovery.

如需詳細資訊,請參閱 Active Directory 系統探索For more information, see Active Directory system discovery.

Active Directory 使用者探索帳戶Active Directory user discovery account

站台使用 Active Directory 使用者探索帳戶,從您在 Active Directory 網域服務中指定的位置來探索使用者帳戶。The site uses the Active Directory user discovery account to discover user accounts from the locations in Active Directory Domain Services that you specify.

此帳戶可以是執行探索之網站伺服器的電腦帳戶,或是 Windows 使用者帳戶。This account can be a computer account of the site server that runs discovery, or a Windows user account. 該帳戶必須具有您為探索所指定 Active Directory 位置的讀取權限。It must have Read access permission to the Active Directory locations that you specify for discovery.

如需詳細資訊,請參閱 Active Directory 使用者探索For more information, see Active Directory user discovery.

Active Directory 樹系帳戶Active Directory forest account

站台使用 Active Directory 樹系帳戶,從 Active Directory 樹系探索網路基礎結構。The site uses the Active Directory forest account to discover network infrastructure from Active Directory forests. 管理中心網站和主要網站也會使用它將站台資料發佈至樹系的 Active Directory Domain Services。Central administration sites and primary sites also use it to publish site data to Active Directory Domain Services for a forest.

注意

次要網站一律使用次要網站伺服器電腦帳戶發佈至 Active Directory。Secondary sites always use the secondary site server computer account to publish to Active Directory.

若要探索並發佈至不受信任的樹系,Active Directory 樹系帳戶必須是通用帳戶。To discover and publish to untrusted forests, the Active Directory forest account must be a global account. 如果您未使用站台伺服器的電腦帳戶,則只能選取通用帳戶。If you don't use the computer account of the site server, you can select only a global account.

此帳戶必須具有您要探索網路基礎結構所在之每個 Active Directory 樹系的 [讀取] 權限。This account must have Read permissions to each Active Directory forest where you want to discover network infrastructure.

此帳戶必須具有您要發佈站台資料所在的每個 Active Directory 樹系中,[系統管理] 容器及其所有子物件的 [完全控制] 權限。This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data. 如需詳細資訊,請參閱準備 Active Directory 以發佈站台For more information, see Prepare Active Directory for site publishing.

如需詳細資訊,請參閱 Active Directory 樹系探索For more information, see Active Directory forest discovery.

憑證登錄點帳戶Certificate registration point account

憑證登錄點使用憑證登錄點帳戶來連線到 Configuration Manager 資料庫。The certificate registration point uses the Certificate registration point account to connect to the Configuration Manager database. 根據預設,它會使用其電腦帳戶,但您可以設定改為使用者帳戶。It uses its computer account by default, but you can configure a user account instead. 當憑證登錄點位於站台伺服器的不受信任網域時,您必須指定使用者帳戶。When the certificate registration point is in an untrusted domain from the site server, you must specify a user account. 此帳戶僅需要網站資料庫的讀取權限,因為寫入操作會由狀況訊息系統處理。This account requires only Read access to the site database, because the state message system handles write tasks.

如需詳細資訊,請參閱憑證設定檔簡介For more information, see Introduction to certificate profiles.

擷取 OS 映像帳戶Capture OS image account

當您擷取 OS 映像時,Configuration Manager 使用擷取 OS 映像帳戶存取您用來儲存所擷取映像的資料夾。When you capture an OS image, Configuration Manager uses the Capture OS image account to access the folder where you store captured images. 如果您將 [擷取 OS 映像] 步驟新增至工作順序,就需要此帳戶。If you add the Capture OS Image step to a task sequence, this account is required.

對於您儲存所擷取映像的網路共用,此帳戶必須具有 [讀取] 和 [寫入] 權限。The account must have Read and Write permissions on the network share where you store captured images.

如果您在 Windows 中變更此帳戶的密碼,請以新密碼更新工作順序。If you change the password for the account in Windows, update the task sequence with the new password. 在用戶端接著下載用戶端原則時,Configuration Manager 用戶端會收到新的密碼。The Configuration Manager client receives the new password when it next downloads the client policy.

如果您需要使用此帳戶,請建立一個網域使用者帳戶。If you need to use this account, create one domain user account. 授與它最低權限以存取必要的網路資源,並將它用於所有擷取工作順序。Grant it minimal permissions to access the required network resources, and use it for all capture task sequences.

重要

請勿將互動式登入權限指派給此帳戶。Don't assign interactive sign-in permissions to this account.

請勿對此帳戶使用網路存取帳戶。Don't use the network access account for this account.

如需詳細資訊,請參閱建立工作順序以擷取 OSFor more information, see Create a task sequence to capture an OS.

用戶端推入安裝帳戶Client push installation account

當您使用用戶端推入安裝方法來部署用戶端時,站台使用用戶端推入安裝帳戶來連線到電腦,並安裝 Configuration Manager 用戶端軟體。When you deploy clients by using the client push installation method, the site uses the Client push installation account to connect to computers and install the Configuration Manager client software. 如果您未指定此帳戶,站台伺服器會嘗試使用其電腦帳戶。If you don't specify this account, the site server tries to use its computer account.

此帳戶必須是目標用戶端電腦上本機系統管理員群組的成員。This account must be a member of the local Administrators group on the target client computers. 此帳戶不需要 [網域系統管理員] 權限。This account doesn't require Domain Admin rights.

您可以指定多個用戶端推入安裝帳戶。You can specify more than one client push installation account. Configuration Manager 會嘗試輪流使用每個帳戶,直到其中一個成功為止。Configuration Manager tries each one in turn until one succeeds.

提示

如果您有大型 Active Directory 環境並需要變更此帳戶,請使用下列程序以更有效率地協調此帳戶更新:If you have a large Active Directory environment and need to change this account, use the following process to more effectively coordinate this account update:

  1. 以不同的名稱建立新的帳戶Create a new account with a different name
  2. 將新帳戶新增至 Configuration Manager 中的用戶端推入安裝帳戶清單Add the new account to the list of client push installation accounts in Configuration Manager
  3. 提供 Active Directory 網域服務足夠的時間複寫新帳戶Allow sufficient time for Active Directory Domain Services to replicate the new account
  4. 然後從 Configuration Manager 和 Active Directory 網域服務移除舊帳戶Then remove the old account from Configuration Manager and Active Directory Domain Services

重要

使用網域或本機群組原則,為 Windows 使用者指派 [拒絕本機登入] 的權限。Use domain or local group policy to assign the Windows user right to Deny log on locally. 身為 Administrators 群組的成員,此帳戶將具有在本機登入的權限,這不是必要的。As a member of the Administrators group, this account will have the right to sign in locally, which isn't needed. 為獲得更好的安全性,請明確拒絕此帳戶的權限。For better security, explicitly deny the right for this account. [拒絕] 權限會取代 [允許] 權限。The deny right supersedes the allow right.

如需詳細資訊,請參閱用戶端推入安裝For more information, see Client push installation.

註冊點連線帳戶Enrollment point connection account

註冊點使用註冊點連線帳戶來連線到 Configuration Manager 站台資料庫。The enrollment point uses the Enrollment point connection account to connect to the Configuration Manager site database. 根據預設,它會使用其電腦帳戶,但您可以設定改為使用者帳戶。It uses its computer account by default, but you can configure a user account instead. 當註冊點位於站台伺服器的不受信任網域時,您必須指定使用者帳戶。When the enrollment point is in an untrusted domain from the site server, you must specify a user account. 此帳戶需要網站資料庫的讀取寫入權限。This account requires Read and Write access to the site database.

如需詳細資訊,請參閱為內部部署 MDM 安裝站台系統角色For more information, see Install site system roles for on-premises MDM.

Exchange Server 連線帳戶Exchange Server connection account

站台伺服器使用 Exchange Server 連線帳戶來連線到指定的 Exchange Server。The site server uses the Exchange Server connection account to connect to the specified Exchange Server. 它會使用此連線來尋找及管理連線到 Exchange Server 的行動裝置。It uses this connection to find and manage mobile devices that connect to Exchange Server. 此帳戶需要提供給 Exchange Server 電腦必要權限的 Exchange PowerShell Cmdlet。This account requires Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. 如需 Cmdlet 的詳細資訊,請參閱安裝和設定 Exchange ConnectorFor more information about the cmdlets, see Install and configure the Exchange connector.

管理點連線帳戶Management point connection account

管理點使用管理點連線帳戶來連線到 Configuration Manager 站台資料庫。The management point uses the Management point connection account to connect to the Configuration Manager site database. 它會使用此連線為用戶端傳送及擷取資訊。It uses this connection to send and retrieve information for clients. 根據預設,管理點會使用其電腦帳戶,但您可以設定改為使用者帳戶。The management point uses its computer account by default, but you can configure a user account instead. 當管理點位於站台伺服器的不受信任網域時,您必須指定使用者帳戶。When the management point is in an untrusted domain from the site server, you must specify a user account.

在執行 Microsoft SQL Server 的電腦上建立低權限的本機帳戶。Create the account as a low-rights, local account on the computer that runs Microsoft SQL Server.

重要

請勿將互動式登入權限授與此帳戶。Don't grant interactive sign-in rights to this account.

多點傳送連線帳戶Multicast connection account

啟用多點傳送的發佈點使用多點傳送連線帳戶來讀取站台資料庫的資訊。Multicast-enabled distribution points use the Multicast connection account to read information from the site database. 根據預設,伺服器會使用其電腦帳戶,但您可以設定改為使用者帳戶。The server uses its computer account by default, but you can configure a user account instead. 當站台資料庫位於不受信任的樹系時,您必須指定使用者帳戶。When the site database is in an untrusted forest, you must specify a user account. 例如,如果您的資料中心在站台伺服器和站台資料庫以外樹系中擁有周邊網路,請使用此帳戶來讀取站台資料庫的多點傳送資訊。For example, if your data center has a perimeter network in a forest other than the site server and site database, use this account to read the multicast information from the site database.

如果您需要此帳戶,請在執行 Microsoft SQL Server 的電腦上建立低權限的本機帳戶。If you need this account, create it as a low-rights, local account on the computer that runs Microsoft SQL Server.

重要

請勿將互動式登入權限授與此帳戶。Don't grant interactive sign-in rights to this account.

如需詳細資訊,請參閱使用多點傳送透過網路來部署 WindowsFor more information, see Use multicast to deploy Windows over the network.

網路存取帳戶Network access account

用戶端電腦在無法使用其本機電腦帳戶來存取發佈點上的內容時,就會使用網路存取帳戶Client computers use the network access account when they can't use their local computer account to access content on distribution points. 它最常套用至不受信任網域的工作群組用戶端和電腦。It mostly applies to workgroup clients and computers from untrusted domains. 當安裝 OS 的電腦尚未有網域上的電腦帳戶時,此帳戶也會在 OS 部署期間使用。This account is also used during OS deployment, when the computer that's installing the OS doesn't yet have a computer account on the domain.

重要

網路存取帳戶絕不能作為執行程式、安裝軟體更新或執行工作順序的資訊安全內容。The network access account is never used as the security context to run programs, install software updates, or run task sequences. 它只能用來存取網路上的資源。It's used only for accessing resources on the network.

Configuration Manager 用戶端會先嘗試使用其電腦帳戶來下載內容。A Configuration Manager client first tries to use its computer account to download the content. 如果失敗,則會接著嘗試網路存取帳戶。If it fails, it then automatically tries the network access account.

如果您針對 HTTPS 或增強 HTTP 設定站台,工作群組或已加入 Azure AD 的用戶端就能安全地從發佈點存取內容,而不需要網路存取帳戶。If you configure the site for HTTPS or Enhanced HTTP, a workgroup or Azure AD-joined client can securely access content from distribution points without the need for a network access account. 此行為包括從開機媒體、PXE、或軟體中心執行工作順序的 OS 部署案例。This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or Software Center. 如需詳細資訊,請參閱用戶端到管理點的通訊For more information, see Client to management point communication.

注意

如果您啟用 [增強 HTTP] 以不要求網路存取帳戶,發佈點必須執行 Windows Server 2012 或更新版本。If you enable Enhanced HTTP to not require the network access account, the distribution point needs to be running Windows Server 2012 or later.

請將用戶端升級為至少 1806 版,再啟用這項功能。Upgrade clients to at least version 1806 before enabling this functionality. 如果您只允許 [增強 HTTP] 連線,舊版用戶端就無法使用此方法進行驗證,因此無法從發佈點下載用戶端升級套件。If you only allow Enhanced HTTP connections, older clients can't authenticate using this method, so can't download the client upgrade package from a distribution point.

權限Permissions

請授與此帳戶用戶端存取軟體所需之內容的最低適當權限。Grant this account the minimum appropriate permissions on the content that the client requires to access the software. 此帳戶必須在發佈點上具有 [從網路存取這台電腦] 權限。The account must have the Access this computer from the network right on the distribution point. 每個站台最多可設定 10 個網路存取帳戶。You can configure up to 10 network access accounts per site.

請在提供必要的資源存取權限的任何網域中建立此帳戶。Create the account in any domain that provides the necessary access to resources. 網路存取帳戶一律必須包含網域名稱。The network access account must always include a domain name. 此帳戶不支援傳遞安全性。Pass-through security isn't supported for this account. 如果您在多個網域中擁有發佈點,請在受信任網域中建立此帳戶。If you have distribution points in multiple domains, create the account in a trusted domain.

提示

為避免帳戶鎖定,請勿變更現有網路存取帳戶的密碼。To avoid account lockouts, don't change the password on an existing network access account. 您可改為建立新帳戶,並且在 Configuration Manager 中設定新帳戶。Instead, create a new account and set up the new account in Configuration Manager. 經過一段時間所有用戶端都已收到新帳戶的詳細資料後,從網路共用資料夾移除舊帳戶,並刪除該帳戶。When sufficient time has passed for all clients to have received the new account details, remove the old account from the network shared folders and delete the account.

重要

請勿將互動式登入權限授與此帳戶。Don't grant interactive sign-in rights to this account.

請勿授與此帳戶將電腦加入網域的權限。Don't grant this account the right to join computers to the domain. 如果您必須在工作順序期間將電腦加入網域,請使用工作順序網域加入帳戶If you must join computers to the domain during a task sequence, use the Task sequence domain join account.

設定網路存取帳戶Configure the network access account

  1. 在 Configuration Manager 主控台中,移至 [系統管理] 工作區,展開 [站台設定] ,然後選取 [站台] 節點。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. 然後選取站台。Then select the site.

  2. 在功能區的 [設定] 群組中,選取 [設定站台元件],然後選擇 [軟體發佈]。On the Settings group of the ribbon, select Configure Site Components, and choose Software Distribution.

  3. 選擇 [網路存取帳戶] 索引標籤。設定一或多個帳戶,然後選擇 [確定]。Choose the Network access account tab. Set up one or more accounts, and then choose OK.

套件存取帳戶Package access account

套件存取帳戶可讓您設定 NTFS 權限,指定可以存取發佈點上套件內容的使用者和使用者群組。A Package access account lets you set NTFS permissions to specify the users and user groups that can access package content on distribution points. 根據預設,Configuration Manager 只會將存取權授與一般的使用者系統管理員存取帳戶。By default, Configuration Manager grants access only to the generic access accounts User and Administrator. 您可以使用其他 Windows 帳戶或群組,控制用戶端電腦的存取。You can control access for client computers by using additional Windows accounts or groups. 行動裝置一律會匿名擷取套件內容,因此不會使用套件存取帳戶。Mobile devices always retrieve package content anonymously, so they don't use a package access account.

根據預設,當 Configuration Manager 將內容檔案複製到發佈點時,會將讀取權限授與本機使用者群組,並將完全控制授與本機 Administrator 群組。By default, when Configuration Manager copies the content files to a distribution point, it grants Read access to the local Users group, and Full Control to the local Administrators group. 實際需要的權限則依套件而定。The actual permissions required depend on the package. 如果有用戶端位於工作群組或不受信任的樹系中,這些用戶端會使用網路存取帳戶來存取套件內容。If you have clients in workgroups or in untrusted forests, those clients use the network access account to access the package content. 請使用預設套件存取帳戶來確保網路存取帳戶有權限存取套件。Make sure that the network access account has permissions to the package by using the defined package access accounts.

使用網域中可存取發佈點的帳戶。Use accounts in a domain that can access the distribution points. 如果您在建立套件後建立或修改帳戶,則必須重新發佈套件。If you create or modify the account after you create the package, you must redistribute the package. 更新套件並不會變更套件上的 NTFS 權限。Updating the package doesn't change the NTFS permissions on the package.

您不需要將網路存取帳戶新增為套件存取帳戶,因為使用者群組的成員資格會自動新增該帳戶。You don't have to add the network access account as a package access account, because membership of the Users group adds it automatically. 將套件存取帳戶限制為只有網路存取帳戶不會阻止用戶端存取套件。Restricting the package access account to only the network access account doesn't prevent clients from accessing the package.

管理套件存取帳戶Manage package access accounts

  1. 在 Configuration Manager 主控台中,選擇 [軟體程式庫]。In the Configuration Manager console, choose Software Library.

  2. 在 [軟體程式庫] 工作區中,決定您想要管理其存取帳戶的內容類型,然後遵循提供的步驟進行:In the Software Library workspace, determine the type of content for which you want to manage access accounts, and follow the steps provided:

    • 應用程式:展開 [應用程式管理],選擇 [應用程式],然後選取要管理其存取帳戶的應用程式。Application: Expand Application Management, choose Applications, and then select the application for which to manage access accounts.

    • 套件:展開 [應用程式管理],選擇 [套件],然後選取要管理其存取帳戶的套件。Package: Expand Application Management, choose Packages, and then select the package for which to manage access accounts.

    • 軟體更新部署套件:展開 [軟體更新],選擇 [部署套件],然後選取要管理其存取帳戶的部署套件。Software update deployment package: Expand Software Updates, choose Deployment Packages, and then select the deployment package for which to manage access accounts.

    • 驅動程式套件:展開 [作業系統],選擇 [驅動程式套件],然後選取要管理其存取帳戶的驅動程式套件。Driver package: Expand Operating Systems, choose Driver Packages, and then select the driver package for which to manage access accounts.

    • OS 映像:展開 [作業系統],選擇 [作業系統映像],然後選取要管理其存取帳戶的作業系統映像。OS image: Expand Operating Systems, choose Operating System Images, and then select the operating system image for which to manage access accounts.

    • OS 升級套件:展開 [作業系統],選擇 [作業系統升級套件],然後選取要管理其存取帳戶的 OS 升級套件。OS upgrade package: Expand Operating Systems, choose Operating system upgrade packages, and then select the OS upgrade package for which to manage access accounts.

    • 開機映像:展開 [作業系統],選擇 [開機映像],然後選取要管理其存取帳戶的開機映像。Boot image: Expand Operating Systems, choose Boot Images, and then select the boot image for which to manage access accounts.

  3. 在選取的物件上按一下滑鼠右鍵,然後選擇 [管理存取帳戶]。Right-click the selected object, and then choose Manage Access Accounts.

  4. 在 [新增帳戶] 對話方塊中,指定將被授與存取內容權限的帳戶,然後指定與帳戶關聯的存取權限。In the Add Account dialog box, specify the account type that will be granted access to the content, and then specify the access rights associated with the account.

    注意

    當您新增帳戶的使用者名稱,且 Configuration Manager 同時找到使用該名稱的本機使用者帳戶與網域使用者帳戶時,Configuration Manager 會為網域使用者帳戶設定存取權限。When you add a user name for the account, and Configuration Manager finds both a local user account and a domain user account with that name, Configuration Manager sets access rights for the domain user account.

Reporting Services 點帳戶Reporting services point account

SQL Server Reporting Services 使用 Reporting Services 點帳戶,從站台資料庫擷取 Configuration Manager 報告的資料。SQL Server Reporting Services uses the Reporting services point account to retrieve the data for Configuration Manager reports from the site database. 您指定的 Windows 使用者帳戶和密碼皆經過加密,並且儲存在 SQL Server Reporting Services 資料庫中。The Windows user account and password that you specify are encrypted and stored in the SQL Server Reporting Services database.

注意

您所指定帳戶在裝載 SQL Reporting Services 資料庫的電腦上,必須具有 [本機登入] 權限。The account you specify must have Log on locally permissions on the computer hosting the SQL Reporting Services database.

注意

當帳戶新增到 Configuration Manager 資料庫上的 smsschm_users SQL Database 角色之後,會自動獲授所有必要權限。The account is automatically granted all necessary rights by being added to the smsschm_users SQL Database Role on the Configuration Manager database.

如需詳細資訊,請參閱報告簡介For more information, see Introduction to reporting.

遠端工具允許的檢視者帳戶Remote tools permitted viewer accounts

指定進行遠端控制的 [獲准檢視器] 是一份使用者清單,這些使用者均獲准使用用戶端上的遠端工具功能。The accounts that you specify as Permitted Viewers for remote control are a list of users who are allowed to use remote tools functionality on clients.

如需詳細資訊,請參閱遠端控制簡介For more information, see Introduction to remote control.

站台安裝帳戶Site installation account

使用網域使用者帳戶來登入伺服器,以執行 Configuration Manager 安裝程式並安裝新站台。Use a domain user account to sign in to the server where you run Configuration Manager setup and install a new site.

此帳戶需要下列權限:This account requires the following rights:

  • 下列伺服器上的系統管理員Administrator on the following servers:

    • 站台伺服器The site server
    • 裝載站台資料庫的每部伺服器Each server that hosts the site database
    • 適用於該站台的每個 SMS 提供者執行個體Each instance of the SMS Provider for the site
  • 在裝載站台資料庫之 SQL Server 執行個體上的 SysadminSysadmin on the instance of SQL Server that hosts the site database

Configuration Manager 安裝程式會自動將此帳戶新增至 SMS Admins 群組。Configuration Manager setup automatically adds this account to the SMS Admins group.

安裝後,此帳戶會是唯一具有 Configuration Manager 主控台權限的使用者。After installation, this account is the only user with rights to the Configuration Manager console. 如果您需要移除此帳戶,請務必先將其權限新增至其他使用者。If you need to remove this account, make sure to add its rights to another user first.

展開獨立站台以包含管理中心網站時,此帳戶需要獨立主要站台的系統高權限管理員基礎結構系統管理員角色型系統管理權限。When expanding a standalone site to include a central administration site, this account requires either Full Administrator or Infrastructure Administrator role-based administration rights at the standalone primary site.

站台系統安裝帳戶Site system installation account

站台伺服器使用站台系統安裝帳戶來安裝、重新安裝、解除安裝和設定站台系統。The site server uses the Site system installation account to install, reinstall, uninstall, and set up site systems. 如果設定站台系統要求站台伺服器起始與此站台系統之間的連線,則安裝站台系統和任何角色後,Configuration Manager 也會使用此帳戶從站台系統系統提取資料。If you set up the site system to require the site server to initiate connections to this site system, Configuration Manager also uses this account to pull data from the site system after it installs the site system and any roles. 每個站台系統可以有不同的安裝帳戶,但您只能設定一個安裝帳戶來管理該站台系統上的所有角色。Each site system can have a different installation account, but you can set up only one installation account to manage all roles on that site system.

此帳戶需要目標站台系統的本機系統管理權限。This account requires local administrative permissions on the target site systems. 此外,此帳戶必須在安全性原則中具有目標站台系統的 [從網路存取這部電腦] 權限。Additionally, this account must have Access this computer from the network in the security policy on the target site systems.

提示

如果您有許多網域控制站,且會跨網域使用這些帳戶,請在設定站台系統之前,檢查 Active Directory 是否已複寫這些帳戶。If you have many domain controllers and these accounts are used across domains, before you set up the site system, check that Active Directory has replicated these accounts.

在每個受控的站台系統指定本機帳戶時,這種設定比使用網域帳戶更安全。When you specify a local account on each site system to be managed, this configuration is more secure than using domain accounts. 它能夠有效降低攻擊者入侵帳戶時所造成的損失。It limits the damage that attackers can do if the account is compromised. 儘管如此,網域帳戶還是較容易管理。However, domain accounts are easier to manage. 請考慮安全性與系統管理效益之間的取捨。Consider the trade-off between security and effective administration.

站台系統 Proxy 伺服器帳戶Site system proxy server account

下列站台系統角色使用站台系統 Proxy 伺服器帳戶,透過要求驗證存取的 Proxy 伺服器或防火牆來存取網際網路:The following site system roles use the Site system proxy server account to access the internet via a proxy server or firewall that requires authenticated access:

  • Asset Intelligence 同步處理點Asset Intelligence synchronization point
  • Exchange Server 連接器Exchange Server connector
  • 服務連接點Service connection point
  • 軟體更新點Software update point

重要

為所需的 Proxy 伺服器或防火牆指定具備最低可能權限的帳戶。Specify an account that has the least possible permissions for the required proxy server or firewall.

如需詳細資訊,請參閱 Proxy 伺服器支援For more information, see Proxy server support.

SMTP 伺服器連線帳戶SMTP server connection account

當 SMTP 伺服器需要驗證存取時,站台伺服器使用 SMTP 伺服器連線帳戶來傳送電子郵件警示。The site server uses the SMTP server connection account to send email alerts when the SMTP server requires authenticated access.

重要

指定具備最低可能權限的帳戶來寄送電子郵件。Specify an account that has the least possible permissions to send emails.

如需詳細資訊,請參閱使用警示和狀態系統For more information, see Use alerts and the status system.

軟體更新點連線帳戶Software update point connection account

站台伺服器使用軟體更新點連線帳戶進行下列兩種軟體更新服務:The site server uses the Software update point connection account for the following two software update services:

  • Windows Server Update Services (WSUS) 會設定產品定義、分類及上游設定之類的設定值。Windows Server Update Services (WSUS), which sets up settings like product definitions, classifications, and upstream settings.

  • WSUS Synchronization Manager,會要求與上游 WSUS 伺服器或 Microsoft Update 同步處理。WSUS Synchronization Manager, which requests synchronization to an upstream WSUS server or Microsoft Update.

站台系統安裝帳戶可以安裝軟體更新元件,但無法在軟體更新點上執行軟體更新專屬功能。The site system installation account can install components for software updates, but it can't perform software update-specific functions on the software update point. 如果因為軟體更新點位於不受信任的樹系中而無法以站台伺服器電腦帳戶使用此功能,則除了站台系統安裝帳戶外,還必須指定這個帳戶。If you can't use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the site system installation account.

此帳戶必須是您安裝 WSUS 之電腦上的本機系統管理員。This account must be a local administrator on the computer where you install WSUS. 它也必須是本機 WSUS 系統管理員群組的成員。It must also be part of the local WSUS Administrators group.

如需詳細資訊,請參閱規劃軟體更新For more information, see Plan for software updates.

來源站台帳戶Source site account

移轉程序使用來源站台帳戶來存取來源站台的 SMS 提供者。The migration process uses the Source site account to access the SMS Provider of the source site. 此帳戶需要 [讀取] 權限以讀取來源網站中的網站物件,才能收集移轉作業所需的資料。This account requires Read permissions to site objects in the source site to gather data for migration jobs.

如果您有 Configuration Manager 2007 發佈點或具有共置發佈點的次要站台,當您將其升級為 Configuration Manager (最新分支) 發佈點時,此帳戶也必須具有 [站台] 類別的 [刪除] 權限。If you have Configuration Manager 2007 distribution points or secondary sites with colocated distribution points, when you upgrade them to Configuration Manager (current branch) distribution points, this account must also have Delete permissions to the Site class. 此權限可在升級期間成功從 Configuration Manager 2007 站台移除發佈點。This permission is to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade.

注意

來源站台帳戶與來源站台資料庫帳戶均識別為移轉管理員,其位於 Configuration Manager 主控台 [管理] 工作區的 [帳戶] 節點中。Both the source site account and the source site database account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

如需詳細資訊,請參閱在階層間移轉資料For more information, see Migrate data between hierarchies.

來源站台資料庫帳戶Source site database account

移轉程序使用來源站台資料庫帳戶存取來源站台的 SQL Server 資料庫。The migration process uses the Source site database account to access the SQL Server database for the source site. 若要從來源站台的 SQL Server 資料庫收集資料,來源站台資料庫帳戶必須具有來源站台 SQL Server 資料庫的 [讀取] 和 [執行] 權限。To gather data from the SQL Server database of the source site, the source site database account must have the Read and Execute permissions to the source site's SQL Server database.

如果使用 Configuration Manager (最新分支) 電腦帳戶,請確定此帳戶的下列條件皆成立:If you use the Configuration Manager (current branch) computer account, make sure that all the following are true for this account:

  • 在與 Configuration Manager 2007 站台相同的網域中為 Distributed COM Users 安全性群組的成員It's a member of the Distributed COM Users security group in the same domain as the Configuration Manager 2007 site
  • 其為 SMS Admins 安全性群組的成員It's a member of the SMS Admins security group
  • 它具有所有 Configuration Manager 2007 物件的 [讀取] 權限It has the Read permission to all Configuration Manager 2007 objects

注意

來源站台帳戶與來源站台資料庫帳戶均識別為移轉管理員,其位於 Configuration Manager 主控台 [管理] 工作區的 [帳戶] 節點中。Both the source site account and the source site database account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

如需詳細資訊,請參閱在階層間移轉資料For more information, see Migrate data between hierarchies.

工作順序網域加入帳戶Task sequence domain join account

Windows 安裝程式使用工作順序網域加入帳戶,將新製作映像的電腦加入網域。Windows Setup uses the Task sequence domain join account to join a newly imaged computer to a domain. 您需要此帳戶,才能進行加入網域或工作群組工作順序步驟,並選取 [加入網域] 選項。This account is required by the Join Domain or Workgroup task sequence step with the Join a domain option. 您也可以透過套用網路設定步驟設定此帳戶,但並非必要條件。This account can also be set up with the Apply Network Settings step, but it isn't required.

此帳戶需要目標網域的 [網域加入] 權限。This account requires the Domain Join right in the target domain.

提示

建立一個具備最低權限的網域使用者帳戶以加入網域,並將它用於所有工作順序。Create one domain user account with the minimal permissions to join the domain, and use it for all task sequences.

重要

請勿將互動式登入權限指派給此帳戶。Don't assign interactive sign-in permissions to this account.

請勿對此帳戶使用網路存取帳戶。Don't use the network access account for this account.

工作順序網路資料夾連線帳戶Task sequence network folder connection account

工作順序引擎會使用工作順序網路資料夾連線帳戶來連線到網路上的共用資料夾。The task sequence engine uses the Task sequence network folder connection account to connect to a shared folder on the network. 您需要此帳戶,才能進行連線至網路資料夾工作順序步驟。This account is required by the Connect to Network Folder task sequence step.

此帳戶須有指定之共用資料夾的存取權限。This account requires permissions to access the specified shared folder. 它必須是網域使用者帳戶。It must be a domain user account.

提示

建立一個具備最低權限的網域使用者帳戶以存取必要的網路資源,並將它用於所有工作順序。Create one domain user account with minimal permissions to access the required network resources, and use it for all task sequences.

重要

請勿將互動式登入權限指派給此帳戶。Don't assign interactive sign-in permissions to this account.

請勿對此帳戶使用網路存取帳戶。Don't use the network access account for this account.

工作順序執行身分帳戶Task sequence run as account

工作順序引擎使用工作順序執行身分帳戶,透過本機系統帳戶以外的認證來執行命令列或 PowerShell 指令碼。The task sequence engine uses the Task sequence run as account to run command lines or PowerShell Scripts with credentials other than the Local System account. 您需要此帳戶,才能進行執行命令列執行 PowerShell 指令碼工作順序步驟,並選取 [以下列帳戶的身分執行此步驟] 選項。This account is required by the Run Command Line and Run PowerShell Script task sequence steps with the option Run this step as the following account chosen.

設定具有所需最低權限的帳戶,以便執行您在工作順序中指定的命令列。Set up the account to have the minimum permissions required to run the command line that you specify in the task sequence. 此帳戶需要互動式登入權限。The account requires interactive sign-in rights. 它通常需要能夠安裝軟體及存取網路資源。It usually requires the ability to install software and access network resources. 針對執行 PowerShell 指令碼工作,此帳戶需要本機系統管理員權限。For the Run PowerShell Script task, this account requires local administrator permissions.

重要

請勿對此帳戶使用網路存取帳戶。Don't use the network access account for this account.

永不使帳戶成為網域系統管理員。Never make the account a domain admin.

永不設定此帳戶的漫遊設定檔。Never set up roaming profiles for this account. 當工作順序執行時,它會下載帳戶的漫遊設定檔。When the task sequence runs, it downloads the roaming profile for the account. 這會導致在本機電腦上存取該設定檔變成很容易的事。This leaves the profile vulnerable to access on the local computer.

限制帳戶的範圍。Limit the scope of the account. 例如,為每一個工作順序建立不同的工作順序執行身分帳戶。For example, create different task sequence run as accounts for each task sequence. 之後如果一個帳戶遭到洩露,則只有該帳戶可存取的用戶端電腦會遭到洩露。Then if one account is compromised, only the client computers to which that account has access are compromised.

如果命令列需要電腦的系統管理存取權限,請考慮在所有執行該工作順序的電腦上建立單獨作為此帳戶的本機系統管理員帳戶。If the command line requires administrative access on the computer, consider creating a local administrator account solely for this account on all computers that run the task sequence. 一旦您不再需要此帳戶,請將它刪除。Delete the account once you no longer need it.

Configuration Manager 在 SQL 中使用的使用者物件User objects that Configuration Manager uses in SQL

Configuration Manager 會自動建立和維護 SQL 中的下列使用者物件。Configuration Manager automatically creates and maintains the following user objects in SQL. 這些物件位在 Configuration Manager 資料庫內的 [安全性]/[使用者] 下。These objects are located within the Configuration Manager database under Security/Users.

重要

修改或移除這些物件,可能會在 Configuration Manager 環境中造成重大問題。Modifying or removing these objects may cause drastic issues within a Configuration Manager environment. 我們建議您不要對這些物件進行任何變更。We recommend you do not make any changes to these objects.

smsdbuser_ReadOnlysmsdbuser_ReadOnly

此物件是用來在唯讀內容下執行查詢。This object is used to run queries under the read-only context. 數個預存程序會利用此物件。This object is leveraged with several stored procedures.

smsdbuser_ReadWritesmsdbuser_ReadWrite

此物件是用來提供動態 SQL 陳述式的權限。This object is used to provide permissions for dynamic SQL statements.

smsdbuser_ReportSchemasmsdbuser_ReportSchema

此物件是用來執行 SQL Reporting 執行。This object is used to run SQL Reporting Executions. 下列預存程序與此函式搭配使用:spSRExecQuery。The following stored procedure is used with this function: spSRExecQuery.

Configuration Manager 在 SQL 中使用的資料庫角色Database roles that Configuration Manager uses in SQL

Configuration Manager 會自動建立和維護 SQL 中的下列角色物件。Configuration Manager automatically creates and maintains the following role objects in SQL. 這些角色提供對特定預存程序、資料表、檢視與函式的存取權,來執行每個角色所需的動作,以便從 Configuration Manager 資料庫擷取資料或將資料插入到其中。These roles provide access to specific stored procedures, tables, views and functions to perform the needed actions of each role to either retrieve data or insert data to and from the Configuration Manager database. 這些物件位在 Configuration Manager 資料庫內的 [安全性]/[使用者]/[資料庫角色] 下。These objects are located within the Configuration Manager database under Security/Roles/Database Roles.

重要

修改或移除這些物件,可能會在 Configuration Manager 環境中造成重大問題。Modifying or removing these objects may cause drastic issues within a Configuration Manager environment. 請勿變更這些物件。Don't change these objects. 下列清單僅供參考。The following list is for information purposes only.

smsdbrole_AIToolsmsdbrole_AITool

Asset Intelligence 大量授權匯入。Asset Intelligence Volume Licenses import. Configuration Manager 會根據 RBA 存取權將此權限授與使用者帳戶,以便能夠匯入與 Asset Intelligence 搭配使用的大量授權。Configuration Manager grants this permission to users accounts based on RBA access to be able to import volume license to be used with Asset Intelligence. 此帳戶可由系統高權限管理員或資產管理員角色新增。This account could be added by a full administrator role or an Asset Manager role.

smsdbrole_AIUSsmsdbrole_AIUS

Asset Intelligence 更新同步處理。Asset Intelligence Update Synchronization. Configuration Manager 會將存取權授與裝載 Asset Intelligence 同步處理點帳戶的電腦帳戶,以取得 Asset Intelligence Proxy 資料並檢視擱置中的待上傳 AI 資料。Configuration Manager grants the computer account that host the Asset Intelligence Synchronization Point account access to get Asset Intelligence proxy data and to view pending AI data for upload.

smsdbrole_AMTSPsmsdbrole_AMTSP

頻外管理。Out of Band Management. 此角色是由 Configuration Manager AMT 角色使用以擷取支援 Intel AMT 之裝置上的資料。This role is used by Configuration Manager AMT role to retrieve data on devices that supported Intel AMT.

注意

此角色在較新版本的 Configuration Manager 中已過時。This role is deprecated in newer releases of Configuration Manager.

smsdbrole_CRPsmsdbrole_CRP

支援簡單憑證註冊通訊協定 (SCEP) 的憑證登錄點。Certificate registration point to support Simple Certificate Enrollment Protocol (SCEP). Configuration Manager 會將權限授與支援憑證登錄點 (以提供 SCEP 支援) 的站台系統電腦帳戶,以進行憑證簽署及更新。Configuration Manager grants permission to the computer account of the site system that supports the Certificate Registration Point for SCEP support for certificate signing and renewal.

smsdbrole_CRPPfxsmsdbrole_CRPPfx

憑證登錄點 PFX 支援。Certificate Registration Point PFX support. Configuration Manager 會將權限授與支援針對 PFX 支援所設定之憑證登錄點的站台系統電腦帳戶,以進行簽署及更新。Configuration Manager grants permission to the computer account of the site system that supports the Certificate Registration Point configured for PFX support for signing and renewal.

smsdbrole_DMPsmsdbrole_DMP

裝置管理點。Device Management Point. Configuration Manager 會將此權限授與具有 [允許行動裝置和 Mac 電腦使用此管理點] 選項之管理點的電腦帳戶,以便能夠支援已向 MDM 註冊的裝置。Configuration Manager grants this permission to computer account for a Management Point that has the option, "Allow mobile devices and Mac Computer to uses this management point", the ability to provide support for MDM enrolled devices.

smsdbrole_DmpConnectorsmsdbrole_DmpConnector

服務連接點。Service Connection Point. Configuration Manager 會將此權限授與裝載服務連接點的電腦帳戶,以擷取並提供遙測資料、管理雲端服務及擷取服務更新。Configuration Manager grants this permission to the computer account that host the Service Connection Point to retrieve and provide telemetry data, manage cloud services, and retrieve service updates.

smsdbrole_DViewAccesssmsdbrole_DViewAccess

分散式檢視。Distributed Views. 當在複寫連結屬性中選取 SQL Server 分散式檢視選項時,Configuration Manager 會將此權限授與 CAS 上主要站台伺服器的電腦帳戶。Configuration Manager grants this permission to the computer account of the Primary Site Servers on the CAS when the SQL Server distributed views option is selected in the replication link properties.

smsdbrole_DWSSsmsdbrole_DWSS

資料倉儲。Data Warehouse. Configuration Manager 會將此權限授與裝載資料倉儲角色的電腦帳戶。Configuration Manager grants this permission to the computer account that host the Data Warehouse role.

smsdbrole_EnrollSvrsmsdbrole_EnrollSvr

註冊點。Enrollment Point. Configuration Manager 會將此權限授與裝載註冊點的電腦帳戶,以允許透過 MDM 進行裝置註冊。Configuration Manager grants this permission to the computer account that host the Enrollment Point to allow for device enrollment via MDM.

smsdbrole_extractsmsdbrole_extract

提供對所有延伸結構描述檢視的存取權。Provides access to all the extended schema views.

smsdbrole_HMSUsersmsdbrole_HMSUser

階層管理員服務。Hierarchy Manager Service. Configuration Manager 會將權限授與此帳戶,以管理階層中站台之間的容錯移轉狀態訊息與 SQL Server Broker 交易。Configuration Manager grants permissions this account to manage failover state messages and SQL Server Broker transactions between sites within a hierarchy.

注意

smdbrole_WebPortal 角色預設是此角色的成員。The smdbrole_WebPortal role is a member of this role by default.

smsdbrole_MCSsmsdbrole_MCS

多點傳送服務。Multicast Service. Configuration Manager 會將此權限授與支援多點傳送之發佈點的電腦帳戶。Configuration Manager grants this permission to the computer account of the Distribution Point that supports multicast.

smsdbrole_MPsmsdbrole_MP

管理點。Management Point. Configuration Manager 會將此權限授與裝載管理點角色的電腦帳戶,以支援 Configuration Manager 用戶端。Configuration Manager grants this permission to the computer account that host the Management Point role to provide support for the Configuration Manager clients.

smsdbrole_MPMBAMsmsdbrole_MPMBAM

管理點 Microsoft BitLocker 系統管理與監視。Management Point Microsoft BitLocker Administration and Monitoring. Configuration Manager 會將此權限授與裝載管理點的電腦帳戶,該管理點可管理環境適用的 MBAM。Configuration Manager grants this permission to the computer account that host the Management Point that manages MBAM for an environment.

smsdbrole_MPUserSvcsmsdbrole_MPUserSvc

管理點應用程式要求。Management Point Application Request. Configuration Manager 會將此權限授與裝載管理點的電腦帳戶,以支援使用者型應用程式要求。Configuration Manager grants this permission to the computer account that host the Management Point to support user-based application requests.

smsdbrole_siteprovidersmsdbrole_siteprovider

SMS 提供者。SMS Provider. Configuration Manager 會將此權限授與裝載 SMS 提供者角色的電腦帳戶。Configuration Manager grants this permission to the computer account that host a SMS Provider role.

smsdbrole_siteserversmsdbrole_siteserver

站台伺服器。Site Server. Configuration Manager 會將此權限授與裝載主要或 CAS 站台的電腦帳戶。Configuration Manager grants this permission to the computer account that host the Primary or CAS Site.

smsdbrole_SUPsmsdbrole_SUP

軟體更新點。Software Update Point. Configuration Manager 會將此權限授與裝載軟體更新點的電腦帳戶,以處理第三方更新。Configuration Manager grants this permission to the computer account that host the Software Update Point for working with Third party updates.

smsdbrole_WebPortalsmsdbrole_WebPortal

應用程式類別目錄網站點。Application Catalog Web Site Point. Configuration Manager 會將此權限授與裝載應用程式類別目錄 Web 服務點的電腦帳戶,以提供使用者型應用程式部署。Configuration Manager grants permission to the computer account that host the Application Catalog Web Site Point to provide user based application deployment.

smsschm_userssmsschm_users

使用者報告存取權。User Reporting access. Configuration Manager 會將存取權授與用於 Reporting Services 點的帳戶,以允許存取 SMS 報告檢視來顯示 Configuration Manager 報告資料。Configuration Manager grants access to the account used for the Reporting Services point account to allow access to the SMS reporting views to display the Configuration Manager reporting data. 會進一步使用 RBA 來限制資料。The data is further restricted with the use of RBA.

提升的權限Elevated permissions

Configuration Manager 要求某些帳戶需具備提升的權限,才能執行進行中的作業。Configuration Manager requires some accounts to have elevated permissions for on-going operations. 例如,請參閱安裝主要站台的必要條件For example, see Prerequisites for installing a primary site. 下列清單摘要說明這些權限與需要這些權限的原因。The following list summarizes these permissions and the reasons why they're needed.

  • 主要站台伺服器與管理中心網站伺服器的電腦帳戶需要:The computer account of the primary site server and central administration site server requires:

    • 所有站台伺服器上的本機系統管理員權限。Local Administrator rights on all site system servers. 此權限可用來管理、安裝及移除系統服務。This permission is to manage, install, and remove system services. 當您新增或移除角色時,站台伺服器也會更新站台系統上的本機群組。The site server also updates local groups on the site system when you add or remove roles.

    • 可存取站台資料庫之 SQL 執行個體的系統管理員權限。Sysadmin access to the SQL instance for the site database. 此權限可設定及管理站台的 SQL。This permission is to configure and manage SQL for the site. Configuration Manager 會與 SQL 緊密整合,而不只是資料庫。Configuration Manager tightly integrates with SQL, it's not just a database.

  • 具有系統高權限管理員角色的使用者帳戶需要:User accounts in the Full Administrator role require:

    • 站台伺服器上的本機系統管理員權限。Local Administrator rights on all site servers. 此權限可檢視、編輯、移除及安裝系統服務、登錄機碼與值,以及 WMI 物件。This permission is to view, edit, remove, and install system services, registry keys and values, and WMI objects.

    • 可存取站台資料庫之 SQL 執行個體的系統管理員權限。Sysadmin access to the SQL instance for the site database. 此權限可在安裝或復原期間安裝及更新資料庫。This permission is to install and update the database during setup or recovery. SQL 維護和作業也需要用到此權限。It's also required for SQL maintenance and operations. 例如,重建索引及更新統計資料。For example, reindexing and updating statistics.

      注意

      有些組織可能選擇移除系統管理員存取權,並且只在需要時才授與。Some organizations may choose to remove sysadmin access and only grant it when it is required. 這種行為有時稱為「Just-In-Time (JIT) 存取」。This behavior is sometimes referred to as "just-in-time (JIT) access." 在此情況下,具有系統高權限管理員角色的使用者仍然有權在 Configuration Manager 資料庫上讀取、更新及執行預存程序。In this case, users with the Full Administrator role should still have access to read, update, and execute stored procedures on the Configuration Manager database. 這些權限讓這類使用者能夠對大部分問題進行疑難排解,而不需完整的系統管理員存取權。These permissions allow them to troubleshoot most issues without full sysadmin access.