SCOM Administrators

Question

If I have few people to administer SCOM, do I have to add them in the OMAdmins global group?

I have tried without adding them. In Operations Console, I can still from the role add their domain account and they will be able to log in to Operations Console.

However, I wonder if it is best practice to add the domain account in OMAdmins?
Also if it is best practice to make domain accounts of SCOM admins members of OMAdmins, what about Operators?

Answer 1

Hi @Lim Chong Sun ,

SCOM Best Practice
As Blake mentioned, the best practice is to create a dedicated Active Directory (AD) group for your SCOM administrators where your SCOM administrators will be member of, then add the AD group to the SCOM Administrator's group.

The AD group for administrator's role is also a group where the SCOM service accounts can be member of, this makes it easy if you'll be adding additional servers, or upgrading your SCOM servers in the future.

Also make sure to remove the local administrator group (Server Name\Administrators) from the SCOM Administrator's group and only keep your custom AD group that contains your SCOM administrators.

Same goes for every SCOM role, create a respectice AD group for each role, only if they are used.

General Best Practice
You should never assign an AD user a role directly, this can be for example a SCOM role or local administrator group on a server.

----------

(If the reply was helpful please don't forget to upvote or accept as answer, thank you)

Best regards,
Leon

Answer 2

You should create an ad security group that matches the roles you are going to provision in scom. Add members to those groups in AD. Add the groups to the roles in SCOM. Add the AD security group for scom admins to the scom admin role. Remove Built-in\Administrators from the scom admin role group. I wouldn’t recommend adding individual ad accounts to any roles.