[Today's post comes to us courtesy of Mark Stanfill]
By default, EBS configures SCE to use the domain administrator account used during setup as the Default Action Account and also as the Data Warehouse account. These accounts are used to accomplish monitoring activities, such as executing a monitor or running a task. Using the built-in administrator is a reasonable setting for many environments, but there may be domains where it is desirable to change the account. The scenarios where it may be desirable to change the default account include:
Note: In this article, we will refer to the default account as the Administrator account. If you installed EBS with a different Domain Admin account, substitute that account in the steps below.
To create a new Run As account, first create a new account using the steps outlined in http://technet.microsoft.com/en-us/library/cc463410.aspx. Make the user a member of Domain Admins and the Performance Monitor Users group. If desired, modify password expiration setting on the account. Because the account will log on locally to the EBS Management Server, it does not require a CAL.
By default, the account will have "User must change password at next logon" checked. This must be deselected to prevent logon errors.
Most installations of EBS will make the Run As account a member of the Domain Admins group and the Performance Monitor Users group for ease of use and to prevent Management Pack errors. Using a lower-privileged account requires a working knowledge of every MP installed on the system. If you choose to go down this route, make sure you read the deployment guides for the MPs installed on your system and understand the user rights needed. This would include the 9 MPs installed on EBS by default.
The minimum privileges required for an action account are:
http://technet.microsoft.com/en-us/library/bb735419.aspx provides more details about running SCE and SCOM with low-privileged accounts. Of particular note from the article are the points:
A low-privileged account can be used only on computers running Windows Server 2003, Windows Server 2003 R2, and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System. A low-privileged account is all that is necessary for agents that are used to monitor domain controllers. Using a domain account requires password updating consistent with your password expiration policies. You must stop and then start OpsMgr Health Service if the action account has been configured to use a low-privilege account and the low-privilege account was added to the required groups while the OpsMgr Health Service was running.
Once the account has been created and "User must change password at next logon" deselected, you are ready to create the new Run As Account.
1. Open the SCE Console and navigate to Administration\Security\Run As Accounts. Right-click and choose "Create Run As Account..."
Note: The administration node is shown as only an icon in the SCE console by default. Click on the gear icon in the lower left-hand corner to access administration.
2. Click Next on the Introduction screen. On the General screen, select Action Account from the "Run As Account type:" drop-down menu. Fill out a display name and description if desired. Click Next to continue.
3. On the Account screen, type in the logon name of the Windows account you created and type the password in both the Password and Confirm password fields. Verify the domain name. Click Create to add the Run As account.
4. Again run the Create Run As Account Wizard. This time, choose Windows for the "Run As Account type:". Follow the prompts to complete the wizard.
5. Navigate to Administration\Security\Run As Profiles. Double-click on the Default Action Account. Locate the Run As Account Entry on the Management Server (it should be DOMAIN\Administrator), and click "Edit...".
6. On the Edit dialog, select the new Run As Account from the drop-down menu and click OK. Click OK again to dismiss the account properties dialog.
7. Repeat the process for these accounts:
8. Navigate back to Administration\Security\Run As Accounts and delete the DOMAIN\Administrator and Data Warehouse Action Account. The accounts may be left in place if desired.
9. Open SQL Management Studio Express (Start\All Programs\Microsoft SQL Server 2005\SQL Server Management Studio Express). Connect to your Management Server's SCE instance (MANAGEMENTSERVERNAME\SCE)
10. Navigate to Security\Logins under the MANAGEMENTSERVER\SCE instance, right-click on Logins and choose "New Login...". Use the Search button to locate your new account. Keep the defaults of Windows Authentication, Default Database, Default Language.
11. Navigate to Databases\OperationsManager\Security\Users. Right-click on Users and choose "New User...". Create a new SQL user account with the following settings:
12. Navigate to Databases\OperationsManagerDW\Security\Users. Right-click on Users and choose "New User...". Create a new SQL user account with the following settings:
13. Navigate to Databases\OperationsManagerDW\Tables\dbo.ManagementGroup. Right-click on dbo.ManagementGroup and choose Open table. In the resulting table on the right-hand side, locate the WriterLoginName column. It should be populated with an entry for DOMAIN\Administrator. Click on the entry and enter the name of the SCE account in the form DOMAIN\SCEAccount, where "SCEAccount" is the account name of your new account.
14. Restart the following services:
15. Check Event Viewer for any relevant errors.
1. If you perform a replacement mode installation or uninstall and reinstall SCE, the account will be set back to the domain administrator account used during installation and must be reset.
2. If the Administrator's password has expired or been reset as described here, you must first ensure that the server is reporting back correctly as described in the linked article. Failure to do so will result in the DOMAIN\Administrator (Alternate Account) being re-designated as the Default Run As Account every time the OpsMgr Health Service is restarted.
3. Renaming the Administrator account has the same effect as changing the Run As account to use another Active Directory account, and the steps above must be followed. In general, it is better to disable the account rather than rename it, as this prevents few true attacks.
4. For a general reference on changing SCOM/SCE accounts, see http://blogs.technet.com/cliveeastwood/archive/2007/06/22/kb936220-amended-how-to-change-the-credentials-for-the-opsmgr-sdk-service-and-for-the-opsmgr-config-service-in-microsoft-system-center-operations-manager-2007.aspx
5. As always, make sure you have a complete system backup before making these changes.
Special thanks to Sam Allen for his assistance in writing this article.