Proxy Service Account Permissions

To access web dashboards and trends

This permission set also allows scheduling for Builder actions and kiosk profile application in Right Click Tools.

  • Local admin on the server where the proxy is being installed
  • Read permissions in Active Directory
  • db_datareader in Configuration Manager SQL server database
  • Read-only access to Configuration Manager console (Read-only Analyst security role in ConfigMgr)

NOTE: Some actions won't work, such as adding to or removing from collection

To elevate permissions

  • Local administrator access on all devices managed by Right Click Tools or Privilege Manager

NOTE: Some actions won't work, such as adding to or removing from collection

To add or remove from collections

  • Permission to modify a collection in Configuration Manager: configmgr collection > modify permission

To run actions as a service account

  • Local admin on any device that actions will be run against
  • Read/Write permissions in Active Directory (Write is only required to delete devices from AD)
  • Appropriate ConfigMgr Security Role for intended actions in the Configuration Manager console (Full Administrator for all actions)
  • Permission to MBAM, if applicable

For Fast Channel support

  • Permission to run scripts in Configuration Manager 

If using Read-only Analyst in ConfigMgr as your base security role, also grant the following privileges:

  • Collection > Run Script = Yes 
  • SMS Scripts > Read = True

To collect warranty information with Endpoint Insights

  • If your Recast Management Server is installed on a server other than your Configuration Manager SQL database, the proxy account will need to be added to the SMS_SiteSystemToSiteServerConnection_MP_<YourSiteCode> local group on that server. This will allow it to read/write to your inboxes\auth\, which is required to gather warranty data.