Hi; An external audit has flagged up the membership of our AD "Domain Admins" group has too many accounts. Having reviewed the membership, I notice that the SCCM Service Account and the SCCM server computer object are both listed. What do I need to do to remove these from the Domain Admins group without impacting on the current SCCM infrastructure? Regards Mark

There's no need for Domain Admins when it comes to ConfigMgr. What's the "SCCM Service Account"? There's none. What is it used for? ConfigMgr services run in local system context and don't have to be added to the domain admins. The computer account in ConfigMgr only needs access (full control) to the System Management container and needs to be put to the local admins groups on the clients (if you want to use client push and no explicit client push installation account).Torsten Meringer | http://www.mssccmfaq.de

Apologies, it is set up as the Network Access account and is also used to add clients to the domain as part of the OSD.