Accounts Required During Setup

  • Article

Applies To: System Center Service Manager 2010

You will need to provide credentials for the following accounts during the installation of the Service Manager and data warehouse management servers.

Note

The user and group accounts required for the installation of Service Manager must reside in the Users OU in Active Directory.

Accounts Used During the Installation of a Service Manager Management Server

Account Permissions How It Is Used In Service Manager

Management group administrators

  • Must be a domain user or group.

    Important

    The user account that is logged into the computer during installation of an initial Service Manager management server is automatically added to this group.
  • Added to the Service Manager Administrators user role.

Service Manager services account
  • Must be a domain user or group.

  • Must be member of local administrators.
  • Becomes the Operational System Account.

  • Assigned to the log on account for the System Center Data Access Service.

  • Assigned to the log on account for System Center Management Configuration service.

  • Becomes a member of the sdk_users and configsvc_users database roles for the Service Manager database.

  • If you change the credentials for these two services, you need to make sure that the new account has a SQL Login in the ServiceManager database and that this account is a member of the Builtin\Administrators group.

Workflow account
  • Must be a domain user or group.

  • Must have permissions to send e-mail and must have a mailbox on the SMTP server (required for the E-mail Incident feature).

  • Must be member of Users local security group.

  • Must be made a member of the Service Manager Administrators user role in order for e-mail notifications for function properly.
  • This account is used for all workflows and is made a member of the Service Manager Workflows user role.

Security Best Practices for Accounts

When assigning Active Directory accounts for use with Service Manager Run As Accounts, it is a best practice to use service accounts. We strongly recommend against using Active Directory user accounts associated with individual people.

For more information about security best practices, download a copy of the Windows Server 2008 Security Guide which in now part of the Windows Server 2008 Security Compliance Management Toolkit at https://go.microsoft.com/fwlink/?LinkId=167160 and The Services and Serivce Accounts Security Planning Guide at https://go.microsoft.com/fwlink/?LinkID=58270.

Accounts Used During the Installation of the Data Warehouse Management Server

Account Permissions How It Is Used In Service Manager

Management group administrators
  • Must be a domain user or group.
  • Added to the data warehouse administrators user role.

Service Manager account
  • Must be a domain user or group.

  • Must be member of local administrators on the data warehouse management server.
  • Becomes the data warehouse system Run As account.

  • Assigned to ServiceManager SDK Service account.

  • Assigned to ServiceManager Config account.

  • Becomes a member of the sdk_users and configsvc_users database roles for the DWDataMart database.

  • Becomes a member of the db_datareader database role for the DWRepository database.

  • Becomes a member of the configsvc_users database role for the Service Manager database.

Reporting account
  • Must be a domain account.
  • Used by SQL Server Reporting Services to access the DWDataMart database to get data for reporting.

  • Becomes a member of the db_datareader database role for the DWDataMart database.

  • Becomes a member of the reportuser database role for the DWDatamart database.

Registering the Service Manager Management Group with Data Warehouse Management Group

As part of the installation process, you will register the Service Manager management group with the data warehouse management group. During this process, you will be prompted to provide credentials. The account credentials you provide must be a domain account. Furthermore, you will need to provide an account with the following permissions.

  • Must be a member of the Administrator user role in both the Service Manager and data warehouse management groups.

  • Must be a member of the users local administrator group on the data warehouse management server.

Accounts Required for Creating Connectors

When creating connectors, you will be asked for credentials that the connector will use to perform its function. The following table outlines the permissions that this account will need and describes best practices for high security.

Operations Manager 2007 Alert Connector

Permissions Best Practices
  • Must be a domain account.

  • Must be a member of the Users local security group on the Service Manager management server.

  • Must be an Operations Manager 2007 Administrator.

Domain account specifically created for this purpose that is only in the Users local security group and in an Administrator user role in Operations Manager and in an Advanced Operator user role in Service Manager.

Operations Manager 2007 CI Connector

Permissions Best Practices
  • Must be a domain account.

  • Must be a member of the Users local security group on the management server.

  • Must be an Operations Manager 2007 Operator.

Domain account specifically created for this purpose that is only in the Users local security group and in an Operator user role in Operations Manager and in an Advanced Operator user role in Service Manager.

Active Directory Connector

Permissions Best Practices
  • Must be a domain account.

  • Must be a member of the Users local security group on the Service Manager management server.

  • Must have permissions to bind to the domain controller that the connector will read data from.

  • Needs generic read rights on the objects that are being synchronized into the Service Manager database from Active Directory.

Domain account specifically created for this purpose that is only in the Users local security group and in an Advanced Operator user role in Service Manager and has read-only permissions in Active Directory.

Configuration Manager 2007 Connector

Permissions Best Practices
  • Must be a domain account.

  • Must be a member of the Users local security group on the Service Manager management server.

Domain account specifically created for this purpose that is only in the Users local security group, must be a member of the smsdbrole_extract and db_datareader on the System Center Configuration Manager database, and in an Advanced Operator user role in Service Manager.

Did you find this information helpful? Please send your suggestions and comments about System Center Service Manager documentation to scsmdocs@microsoft.com.