Prepare your environment for a ConfigMgr 2012 SP1 installation

Once all the prerequisites have been installed and the Active Directory schema has been extended for the ConfigMgr 2012 SP1 installation (see this blog post), we need to prepare the environment before kicking off with the installation.


  • Create a ConfigMgrAdmins group and a CMAdmin user
  • Create a Restricted Groups GPO
  • Create the System Management container
  • Open Windows Firewall ports on Primary Site server and SQL Server

Create a ConfigMgrAdmins group and a CMAdmin user

In this step we’ll be creating a ConfigMgr 2012 SP1 Administrators group called ConfigMgrAdmins and the ConfigMgr Administrator account called CMAdmin. I’ll assume that you have basic knowledge of creating users and groups in Active Directory, so this part will not be a deep dive into each required step.
1. Open Active Directory Users and Computers.
2. Right-click on a OU of your choice (in my case and select New -> User.
3. Type CMAdmin under First name and User logon name. Click Next and complete the wizard.
4. Right-click on an OU of your choice (in this case and select New -> Group.
5. Type ConfigMgrAdmins in the Group name field and click OK.
6. Open the newly created ConfigMgrAdmins group and add CMAdmin as a member.

Create a Restricted Groups GPO

In this step we’ll be creating a GPO that will take care of adding the ConfigMgrAdmins group to the local Administrators group on all ConfigMgr 2012 servers (initially you’ll only have one server, but that will increase in the future most likely).
1. Open the Group Policy Management console.
2. Right-click on the OU where the ConfigMgr servers are located (in this case Servers) and select Create a GPO in this domain, and Link it here.
3. Name the GPO ConfigMgr Local Admins and click OK.
4. Right-click the newly created GPO and select Edit.
5. Expand Computer ConfigurationPoliciesWindows SettingsSecurity Settings, right-click on Restricted Groups and select Add Group.
6. Type ConfigMgrAdmins in the Add Group window and click OK.
7. Click on Add next to Members of this group.
8. Type ConfigMgrAdmins and click OK.
9. Click on Add next to This group is a member of.
10. Type BUILTIN\Administrators and click OK.
11. Click OK and close Group Policy Management Editor and Group Policy Management.
12. On your soon-to-be ConfigMgr 2012 SP1 server, open a command prompt and type gpupdate /force.
13. In the Server Manager Tools tab, open Computer Management.
14. Expand Local Users and GroupsGroups. Open Administrators. You should now see that the CONTOSO\ConfigMgrAdmins group has been added to the local Administrators group.

Create the System Management container

In this step we’ll create the System Management containter in Active Directory for ConfigMgr 2012 SP1 to store e.g. Boundaries data.
1. Open ADSI Edit and connect to the Default naming context.
2. Expand Default naming context and then your domain (in this case DC=contoso,DC=com).
3. Right-click on System and select New -> Object.
4. In the Create Object window, select container and click Next.
5. In the Value field type System Management. Click Next and then FinishNote: It’s really important that you get the spelling correct, otherwise you’ll not be able to install ConfigMgr 2012 SP1.
6. Select System in the left pane, right-click on System Management in the right pane and select Properties.
7. Click on the Security tab and click Add.
8. Click on Object Types, select Computers and click OK.
9. In the Enter the object names to select field, type the name of your soon-to-be ConfigMgr 2012 SP1 server (in this case CM01) and click OK.
10. In Permissions for CM01$, select Full Control in the Allow column and click OK.
Note: You’ll have to add each new site server that you install in your hierarchy with Full Control permissions to the System Management container. 

Open Windows Firewall ports on Primary Site server and SQL Server

Open an elevated PowerShell console and run the following command on your soon-to-be Primary Site server and SQL server:

New-NetFirewallRule -Profile Domain -DisplayName "SQL Ports" -Direction Inbound -Action Allow -LocalPort 1433,4022 -Protocol TCP

That’s it! Now you can go ahead and run the installation of ConfigMgr 2012 SP1.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

Add comment


Categories use cookies to ensure that we give you the best experience on our website.