Configuring Agent Computers to Run in Low-Privilege Scenarios in the Virtual Server 2005 R2 Management Pack

Article
12/08/2008

The MOM agent uses the agent Action Account to access providers and to run responses on the local computer. By default, the Local System account is used. However, you can provide credentials for a domain account or a local computer account.

For the Virtual Server 2005 R2 Management Pack to run in a low-privilege scenario, the agent Action Account on the virtual machine host must be assigned the permissions and rights listed in Table 8.

Table 8 Access Types Required for the Agent Action Account

Source of Requirements	Agent Action Account Requirements
MOM 2005	Required group memberships: Users group Performance Monitor Users group Required user rights (Local Security Settings): “Allow log on locally” permission (SeInteractiveLogonRight) “Manage auditing and security log” permission (SeAuditPrivilege) To assign these user rights to the agent Action Account: On the virtual machine host, in Administrative Tools, open Local Security Settings, expand Local Policies, and then click User Rights. In the list of available rights, add the Action Account to the two required user rights. For more information about security for the Action Account, see Agent Security (https://go.microsoft.com/fwlink/?LinkId=63717) in the Microsoft Operations Manager 2005 Security Guide.
Virtual Server	Required permissions in the Virtual Server security settings: View Control For more information, see the topic on configuring Virtual Server security settings in the Virtual Server Operations Guide (https://go.microsoft.com/fwlink/?LinkId=63718).
Windows Servers Base Operating System Management Pack	To provide the required data for displays and reports, the Action Account also must have the rights and permissions required by the Windows Servers Base Operating System Management Pack. For more information, see the Windows Servers Base Operating System Management Pack Guide (https://go.microsoft.com/fwlink/?LinkId=63726).

MOM 2005

Required group memberships:

Users group
Performance Monitor Users group

Required user rights (Local Security Settings):

“Allow log on locally” permission (SeInteractiveLogonRight)
“Manage auditing and security log” permission (SeAuditPrivilege)
To assign these user rights to the agent Action Account: On the virtual machine host, in Administrative Tools, open Local Security Settings, expand Local Policies, and then click User Rights. In the list of available rights, add the Action Account to the two required user rights.

For more information about security for the Action Account, see Agent Security (https://go.microsoft.com/fwlink/?LinkId=63717) in the Microsoft Operations Manager 2005 Security Guide.

Virtual Server

Required permissions in the Virtual Server security settings:

View
Control

For more information, see the topic on configuring Virtual Server security settings in the Virtual Server Operations Guide (https://go.microsoft.com/fwlink/?LinkId=63718).

Windows Servers Base Operating System Management Pack

To provide the required data for displays and reports, the Action Account also must have the rights and permissions required by the Windows Servers Base Operating System Management Pack. For more information, see the Windows Servers Base Operating System Management Pack Guide (https://go.microsoft.com/fwlink/?LinkId=63726).

The following Management Pack tasks cannot be run using a low-privilege account. These tasks require that the Action Account have administrative rights on the agent computer:

Start Virtual Server
Stop Virtual Server

Share via

Configuring Agent Computers to Run in Low-Privilege Scenarios in the Virtual Server 2005 R2 Management Pack

Additional resources