SCOM BUILTIN\Administrators removal

Fadil Ck 381 Reputation points
2022-11-02T06:56:59.61+00:00

Hi All,

We are using SCOM 2019, as part of SCOM admin user restriction, is there any issues if we remove BUILTIN\Administrators from Operations Manager Administrators user roles and add new group which contains the required users who can access the SCOM including the service accounts?

Thanks in Advance
Fadil CK

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,433 questions
0 comments No comments
{count} votes

Accepted answer
  1. SChalakov 10,371 Reputation points MVP
    2022-11-02T07:10:02.703+00:00

    Hi Fadil (@Fadil Ck ),

    I know this, the presence of the group is labeled as a security violation in some cases:

    The default Builtin\Administrators group must be removed from the SCOM Administrators Role Group.
    https://www.stigviewer.com/stig/microsoft_scom/2021-03-15/finding/V-237437

    You can do this, there is no issue with that, just make sure you add a group with permissions in SCOM first, so that you don't get locked out of the application.

    Here one additional post on the topic, which also confirms what we just discussed:

    SCOM Administrators
    https://learn.microsoft.com/en-us/answers/questions/121182/scom-administrators.html

    I hope I could you out with that!
    Wish you a great day ahead!

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
    Regards
    Stoyan Chalakov


1 additional answer

Sort by: Most helpful
  1. SChalakov 10,371 Reputation points MVP
    2022-11-02T09:18:15.447+00:00

    Hi Fadil,

    Yes, "BUILTIN\Administrators" refers to the local Admin group on every server. IT IS the local admin group. This means that if you have accounts in this group, which NEED Admin permisssions in SCOM, you have to add them to the new group that you will be configuring in SCOM.

    Hope I could help you!

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
    Regards
    Stoyan Chalakov

    1 person found this answer helpful.
    0 comments No comments