HSLockdown for domain controllers

Question

Afternoon All

i am currently trying to build a case to add scom agents on to domain controllers with the help of HSLockldown tool, however i cannot confirm whether this Lockdown tool can be defined against a GMSA Account.

Has anybody tried this ?

scom version is OM2019 UR1 (soon to be 2)

Many Thanks

Richard

Answer 1

Hi Richard,

Based as I know, when deploying SCOM Agents to Domain controllers, we might see it goes into a heartbeat failed state.We need to remove the explicit deny for Local System, and add it to the allowed list by the following command:
HSLockdown.exe /A “NT AUTHORITY\SYSTEM”

Here is an article for the reference: (Although the article is for SCOM 2016, it is also applied to SCOM 2019 UR1)
https://kevinholman.com/2016/11/04/deploying-scom-2016-agents-to-domain-controllers-some-assembly-required/
Note: Non-Microosft link, just for the reference.

From your description, I know you want to use lockdown tool to define permission for GMSA account.If the error on DC is also with this account, we can add it to the allowed list. Based on my test, the answer for your question is yes.

For the Account used in HSLockdown, it need to be specified in one of the following fully qualified domain name (FQDN) formats:

• NetBios : DOMAIN\username
• UPN : username@fqdn.com

We can check the msDS-PrincipleName of the GMSA account and assign the permission using the following command:
HSLockdown.exe /A <msDS-PrincipleName of the GMSA account>
Note: please change the infromation to the one in the environment.

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.

Answer 2

I see one issue here : I don't believe it is supported to run the SCOM agent using a GMSA in the first place...