This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
According to the docs, discovery and installation of the agent is done by the 'Management Server Action Account'. But the docs do not say where to find or how to create such an account.
In my accounts section, I have two action accounts - one is a domain service account and the other is the builtin system account. Is one of these the 'Management Server Action Account?'. If one is then it needs to be a local administrator on all my servers in order to install the agent?
Currently I have to supply my own account to discover and install and was looking to set up another account to do that but the docs arent clear on how to do that.
Thanks
David
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 70%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
If you want to identify the Default Action Account for a specific Management Server / Agent in SCOM (meaning the credentials that the Health Service on that server will use by default to run it's workflows, unless another profile is specified on the workflow), you can go to Administration --> Run As Profiles --> open the Default Action Account profile and then in the Run As Accounts tab of that pop-up, you can search for your Server and see which Run As Account is mapped as Default Action Account for the Server.
Indeed, is a bad security practice to provide Local Administrator permissions of the SCOM Action Account (which is probably the default action account on your Management Servers) on the servers you target with the discovery wizard. The recommendation here is to specify alternative credentials in the Discovery Wizard and use an account with Local Admin persmissions.
BR,
George
I believe you are correct. The action account needs to be local admin for remote install. It is common to use alternate credentials with the deployment wizard when this is not the case. That or deploy the agent using SCCM.
So by default, which action account does it use? There is nothing in my console that specifically says 'Management Server Action Account'.
If you look at the RunAs account configuration in the Administration workspace, it is the only configured domain account. This will be the default account used for all SCOM actions.
So you either give that account admin access to all servers or you add another account which has that access as an action account?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
No, forget about it and use alternative credentials in the wizard or use a deployment tool such as sccm as already suggested.
You should never ever grant admin permissions to all your monitored servers to the MS Action Account.
Even if it's the default option in the wizard, it's a terrible security practice.