Some organizations might not allow the use of domain administrator privileges for MOM service accounts because of the organization’s security policy. You can avoid assigning domain administrator privileges to MOM service accounts by running some of the accounts under the Local System security context.
The advantages of running as Local System are that the password for this account is never exposed (and cannot be compromised), and that the password for this account is exempt from forced password changes due to global policy settings. However, using a Local System account requires more planning and administration.
The remainder of this section details the impact of using a Local System account on various MOM components.
OnePoint Database
The MSSQLSERVER and SQLSERVERAGENT services on the server hosting the OnePoint database can be run as Local System without negatively affecting the functionality of MOM. However, you must use the domain account for the SQLSERVERAGENT service to use either the Snapshot Agent, Merge Agent, or Distribution Agent. MOM does not use these components.
DAS and CAM Components
The DAS and CAM components cannot be run as Local System in a distributed installation, because they can’t perform certain tasks, such as restarting a service on a remote computer or properly accessing the OnePoint database.
Agent Accounts
The agent service is the OnePoint service on the agent and runs, by default, under the Local System account. The account under which this service runs can be changed. For more information, see "Changing the Agent Service Account" section in Chapter 8, "MOM Agent Management."
Note:
-
When running an agent on a server with Microsoft Exchange 5.5, some rules do not function properly if the agent is running as Local System. To enable these rules correctly, you must change the agent service account to a domain user account. This account must have privileges equivalent to the Local System account, such as a member of the local administrators group.
Group Policy
The CAM account must be given local administrator rights on all managed servers. Group Policy is one way of achieving this without using a domain administrator account. Using Group Policy might not always be the best solution, because not all managed servers necessarily reside within the same organizational unit in Active Directory. This makes using Group Policy objects to insert the CAM account into your managed computers more difficult. However, if you have established Group Policy in your organization, and your hierarchy is not highly complex, this might be the best option for you. For more information about Group Policy, see your Windows documentation.
VBScript
You can incorporate the following lines of sample text into your script to insert the CAM account into the managed computer: &ComputerName& is the name of the managed server into which you plan to insert the CAM account and &DomainName& is the name of the domain in which the CAM account belongs. The script must be invoked by a user with domain administrator privileges. The following sample code shows how such a script might work. The creation and testing of the script is beyond the scope of this document.
Set GroupObj = GetObject("WinNT://"&ComputerName &"/Administrators")
GroupObj.Add ("WinNT://" &DomainName& "/" &Account)
Note: