5 Replies Latest reply: Sep 17, 2013 2:01 PM by Jim Campbell RSS

Patching DCs and the System account

Jim Campbell

Our security team is worried about the prospect of using a domain admin account to patch domain controllers with an automation principal.  We have disabled User Mapping as a result of the numerous issues it has caused on Domain Controllers and while everything works properly using the automation principal in a test environment security is hesitant to release the reigns of a domain admin account to our team.


With Marimba and SCCM it was apparently not as big a problem as these tools use the System account rather than a domain admin account to perform tasks such as patching.  Is there any way to force the blade agent to use the System account on DCs and preferably while continuing to disable User Mapping?  Has this ever been discussed as an option?  I am told there is a subantially greater risk of compromise from giving us access to a domain admin account as opposed to the System account on the domain controllers.