This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 41%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Hi, having migrated most on-premises services to the cloud we are left with Windows Servers running different roles (DCs, DHCP, ...)/hosting apps + SQL Servers. Currently SCOM Action Account has very high privileges hence I would like to apply the least privilege concept without compromising monitoring. I guess it does not have to be domain admin/local admin on any Windows Server plus be sysadmin on any SQL Server? What are minimum permissions SCOM Action Account needs?
Also what are pros and cons of removing this account from SCOM altogether and using Local System as SCOM Action Account? If I am not mistaken starting with SCOM 2019 UR1, gMSA is also supported as SCOM Action Account but again I need a list of minimum permissions it needs to avoid over-permission (domain admin/local admin/sysadmin ...).
Finally, which approach suits the best mostly from security perspective?
One thing to note - in the list of monitored servers, all but 2 are using SYSTEM as Action Account? Does it mean "replacing" SCOM Action Account with SYSTEM on these 2 would make domain SCOM Action Account completely redundant since SYSTEM account should suffice in terms of permissions on any given server.
Thank you very much in advance.