Operations Manager 2007 Accounts
To communicate with various Operations Manager 2007 components, the Operations Manager 2007 Root Management Server requires two accounts: the Management Server action account and the SDK and Config Service account. You are required to specify credentials for these accounts during installation. When pushing out an agent, you will be required to provide credentials for the Computer Discovery account and the Agent action account.
If you install Operations Manager 2007 Reporting, you need to specify credentials for two accounts: the Data Warehouse Write account and the Data Reader account.
When you deploy an agent, you are prompted for an account that has Administrator rights on the computers you will install the agent on.
Action Account
The action account is used to gather information about, and run responses on, the managed computer (a managed computer being either a Management Server or a computer with an agent installed). The MonitoringHost.exe processes run under the action account or a specific Run As Account. There might be more than one MonitoringHost.exe process running on the agent at any given time.
Some of the actions that MonitoringHost.exe performs include:
- Monitoring and collecting Windows event log data.
- Monitoring and collecting Windows performance counter data.
- Monitoring and collecting Windows Management Instrumentation (WMI) data.
- Running actions such as scripts or batches.
The separation of the Health Service process from the single and multiple uses of the MonitoringHost process means that if a script running on the managed computer stalls or fails, the functionality of the OpsMgr Service or other responses on the managed computer will not be affected.
The action account can be managed through the Default action account located in Run As Profiles. For more information, see How to Change the Credentials for the Action Account in Operations Manager 2007.
Using a Low-Privileged Account
When you install Operations Manager 2007, you have the option of specifying either a domain account or using Local System. The more secure approach is to specify a domain account which allows you to select a user with the least amount of privileges necessary for your environment.
You can use a low-privileged account for the agent’s action account. On computers running Windows Server 2003 and Windows Vista, the account must have the following minimum privileges:
- Member of the local Users group
- Member of the local Performance Monitor Users group
- “Allow log on locally” permission (SetInteractiveLogonRight)
Important
The minimum privileges described above are the lowest privileges that Operations Manager 2007 supports for the Action account. Other Run As accounts can have lower privileges. The actual privileges required for the Action account and the Run As accounts will depend upon which Management Packs are running on the computer and how they are configured. For more information about which specific privileges are required, see the appropriate Management Pack Guide.
Keep the following points in mind when choosing an credentials for the Management Server Action Account:
- A low-privileged account can be used only on computers running Windows Server 2003 and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System.
- Using a low-privileged domain account requires password updating consistent with your password expiration policies.
- You cannot enable Agentless Exception Monitoring (AEM) on a Management Server with a low-privileged action account.
- The Action account must be assigned the Manage Auditing and Security log privilege by using Local or Global policy, if a Management Pack is to read the event in the Security Event log.
- If the Root Management Server and the Operations Manager database are not located on the same computer and you have selected Domain or Local Computer Account, then the user you specify must be a domain account. A local user account will be unable to access the Operations Manager database and setup will fail.
Important
You cannot enable Agentless Exception Monitoring (AEM) on a Management Server with a low-privileged action account.
Action Accounts and the Operations Manager Database
You assigned credentials to the action account when you installed Operations Manager 2007. By default, the action account has access to the Operations Manager database. To increase security, you can remove access to the Operations Manager database from the action account and create a new separate Run As Account for accessing the Operations Manager database. For more information, see How to Create a New Run As Account for Accessing the Operations Manager Database in Operations Manager 2007 and How to Create a New Action Account in Operations Manager 2007.
SDK and Config Service Account
The SDK and Config Service account is used by the OpsMgr SDK Service and OpsMgr Config Service to update information in the Operations Manager database. The credentials used for the SDK and Configuration action account will be assigned to the sdk_user role in the Operations Manager database.
The account used for the SDK and Config Service account must have local administrative rights on the Root Management Server computer. The account should be either a Domain User or Local System. The use of Local User account is not supported. We recommended you use a different account from the one used for the Management Server Action Account.
Note
If the Operations Manager database is installed on a computer separate from the Root Management Server and Local System is selected for the SDK and Config Service account, the computer account from the Management Server computer will be assigned to the sdk_user role on the Operations Manager database computer.
Agent Installation Account
When implementing discovery-based agent deployment, you are prompted for an account with Administrator privileges. This account is used to install the agent on the computer, and therefore it must be a local administrator on all the computers you are deploying agents to. This account is encrypted before being used and then discarded.
Notification Action Account
This is the action account which is used for creating and sending notifications. Ensure that the credentials you use for this account have sufficient rights for the SMTP server, instant messaging server, or SIP server that you will use for notifications.
See Also
Tasks
How to Change the Credentials for the Action Account in Operations Manager 2007
How to Create a New Action Account in Operations Manager 2007
How to Create a New Run As Account for Accessing the Operations Manager Database in Operations Manager 2007
How to Create a Run As Account in Operations Manager 2007
How to Create a Run As Profile in Operations Manager 2007
Concepts
Run As Profiles and Run As Accounts in Operations Manager 2007
Other Resources
About Security in Operations Manager 2007
How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007
Security Considerations in Operations Manager 2007