SCCM On Domain Controllers

Copper Contributor

We have 40+ domain controllers and have been reluctant to use SCCM for managing their monthly Windows Updates.  Our security team points out that since SCCM runs under the SYSTEM account, the SCCM team could run scripts to create a user and elevate that user's privileges fairly easily. 


Question: Is there a way in SCCM to separate these domain controllers and control who can manage them? We would like only the domain admins to have access to these domain controllers.




4 Replies
best response confirmed by LL10890 (Copper Contributor)

Hi @LL10890,

The answer is yes, in SCCM (System Center Configuration Manager), you can separate and control access to domain controllers to ensure that only authorized individuals or groups (in you case Domain Admins) can manage them.

Here's how you can achieve this:

- Create a specific group in SCCM for your domain controllers. This group will include all the domain controller machines.

Create collections in Configuration Manager.

- Assign the necessary administrative roles to the users or groups who should have access to manage the domain controllers. In this case, you would grant Domain Admins access to the domain controller group.

Role-based administration fundamentals - Configuration Manager | Microsoft Learn
Configure role-based administration - Configuration Manager | Microsoft Learn

- Configure the security settings in SCCM to restrict access to the domain controller group. This way, only users or groups with the designated roles and permissions will be able to view and manage the domain controllers within SCCM.

Manage clients - Configuration Manager | Microsoft Learn

By following these steps, you can effectively separate and control who can manage the domain controllers in SCCM. 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.

Kindest regards

Leon Pavesic

Thanks for the information and recommendations.
This is what I was looking for.
Your security team is right - any software installed on domain controllers should be considered Tiers 0.
While you may delegate domain controllers access within Config Manager as explained above, Config Manager admins will be able to easily bypass or disable it, making them effectively Domain Admins. This is also true for some service accounts tied to Config Manager.

There is no one-size-fits-all solution for this. A good compromise would be to build a dedicated WSUS server for all Tiers 0 servers.
Good point. Thanks for the additional information.