A. By default, SCCM will try to use its own computer account to deploy the SCCM client to systems. However, it's unlikely that this account will be a member of the client's local administrators group, so it's best to configure the account to use for client deployment. Do the following:
- Navigate to Site Database, Site Management,
, Site Settings, Client Installation Methods.
- Right-click Client Push Installation and select Properties.
- Do NOT check Enable Client Push Installation to assigned resources. This would automatically deploy the agent to any system discovered that meets the selected system types, such as servers and workstations. (Obviously, if you do want this automatic deployment, then check the option.)
- Select the Accounts tab.
- Click New and enter the domain account that has administrative rights on the client, and then its password twice. Note that you can specify multiple accounts and set the order in which they should be used. SCCM will go down the list in order until it finds an account with administrative rights on the client. If no accounts are listed or none of them work, the SCCM computer account will be used. Take care which account you use, because you don't really want to use the main domain administrator account. You just need an account that has administrator rights on the target systems, which you could do by adding the account to the local administrators group through Group Policy Restricted Groups settings.
- Note that the Client tab allows you to configure the site code to use for the deployed clients. However, the site code is normally automatically discovered, so make sure your clients are within the boundary of your SCCM sites.
- Click OK.
You can now deploy clients using the Install Client action for discovered systems
If you have problems deploying the client, look at the ccm.log file on the SCCM server, found in the C:\Program Files \\[(x86)\\]\Microsoft Configuration Manager\Logs folder. Use the SMS Trace utility, which is part of the SCCM 2007 Toolkit, to view the log files for easier reading (you could use Notepad). In the example below, you can see an attempt that failed because no account was specified. It tried to use the SCCM computer account, which didn't have the necessary permissions.
If you need to troubleshoot at the client level based on information on the server, look at ccmsetup.log on the client (found in the C:\Windows\ccmsetup folder). It will give more detail if the problem is client-side. You can also check the event log.