Sometimes I do a review of existing ConfigMgr environments. Most of the environments have extended the Active Directory schema which is always a good idea. It saves you lots of administrative tasks and configuration.

ConfigMgr needs access to the schema and one of the things I always check in those environments is to see how the rights in Active Directory are configured. Today I faced that all the ConfigMgr computeraccounts were a member of the Domain Admin group! Well...never seen that before!

Let me clarify; this is not required at all.

The schema extension allows ConfigMgr to publish data in a AD container named ‘System Management’ which is a sub-container of the Active Directory System container.

The System Management container is not created by default so this should be done by hand with the ADSIEDIT tool.
All the site server computer accounts must have Full Control rights on this 'System Management' sub-container and all childs, to publish their data. An important note; also Secondary Sites need those permissions.

So hopefully once and for all; All ConfigMgr Site Server computer accounts needs Full Control rights on only the 'System Management' container and all child objects.