Granting permissions to the System container

The ConfigMgr server, after extending the Active Directory schema, is able to save core configuration data in the Active Directory database inside the System Management container. Thanks to these pieces of information, clients are able to find the assigned ConfigMgr server and establish connection with it. Any changes made to the management point role are also saved and stored in the Active Directory database.

There are two ways of the System Management container creation:

• The container can be created manually and grant permissions to the ConfigMgr computer account
• ConfigMgr creates it by itself thanks to the granted permissions

To manually create the System Management container using the Active Directory Users and Computers console, follow these steps:

1. Run the console, highlight the System container, right-click on it, and choose Properties:

1. On the Security tab, click on Add... to add a computer account for the ConfigMgr server:

1. By default, the system does not show computer accounts when adding permissions. To see them, we need to check Computers in the Object Types... section and click on OK:

1. We fill in the computer name, and to ensure that we typed it correctly, we click on Check Names and then we click on OK:

1. The next step is to add permissions to the computer AD account. Highlight the computer account visible on the Security tab and click on Advanced:

1. Windows Advanced Security Settings for System appears. Highlight the ConfigMgr computer account and choose Edit:

1. On the Permission Entry for System tab, check Full control and change the Applies to section to This object and all descendant objects:

1. After granting permissions, click on OK thrice. At this point, the environment is prepared for ConfigMgr to create the System Management container on its own and save the configuration data in there.