Low-Privilege Environments

Applies To: Operations Manager 2007, System Center 2012 - Operations Manager, System Center 2012 R2 Operations Manager, System Center 2012 SP1 - Operations Manager, Windows Server 2012, Windows Server 2012 R2

The Windows Operating System Management Pack uses the agent action account to perform discovery and run rules, tasks, and monitors. The agent action account can run as Local System or as a named account. When running as Local System, the agent action account has all of the rights needed to perform discovery and run rules, tasks, and monitors.

Using a Low-Privilege Account

You can use a low-privilege account for the agent action account; however, a number of rules and monitors require elevated rights. On computers running Windows Server 2008 or Windows Server 2003, the low-privilege account must meet the following requirements:

• Member of the local users group

• Member of the local Performance Monitor Users group

• Granted Log On Locally rights

Three of the monitors and object discoveries in the Windows Operating System Management Pack require a high-privilege account to perform the functions:

• Mount Point Discovery

• Physical Disk Discovery

• Monitoring the Computer Browser service

In addition, the following tasks related to Windows Server 2008 require a high-privilege account:

• Top CPU Usage

• Display Active Sessions

• Display Server Statistics

These rules and monitors have been configured to use the Privileged Monitoring Account Run As Profile, which defaults to Local System and does not require association with any Run As account and target computer. As a result, no user intervention is required for these rules and monitors that need to use a high-privilege account.

If your requirements stipulate that only a low-privilege account is to be used in your environment, use overrides to disable the three monitors and object discoveries.