SCOM Action Account (SCOM 2019)

Bojan Zivkovic 21 Reputation points

Hi, having migrated most on-premises services to the cloud we are left with Windows Servers running different roles (DCs, DHCP, ...)/hosting apps + SQL Servers. Currently SCOM Action Account has very high privileges hence I would like to apply the least privilege concept without compromising monitoring. I guess it does not have to be domain admin/local admin on any Windows Server plus be sysadmin on any SQL Server? What are minimum permissions SCOM Action Account needs?

Also what are pros and cons of removing this account from SCOM altogether and using Local System as SCOM Action Account? If I am not mistaken starting with SCOM 2019 UR1, gMSA is also supported as SCOM Action Account but again I need a list of minimum permissions it needs to avoid over-permission (domain admin/local admin/sysadmin ...).

Finally, which approach suits the best mostly from security perspective?

One thing to note - in the list of monitored servers, all but 2 are using SYSTEM as Action Account? Does it mean "replacing" SCOM Action Account with SYSTEM on these 2 would make domain SCOM Action Account completely redundant since SYSTEM account should suffice in terms of permissions on any given server.

Thank you very much in advance.

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,433 questions
0 comments No comments
{count} votes