Security Considerations

You may need to customize your management pack. Certain accounts cannot be run in a low-privilege environment or must have minimum permissions.

Low-privilege environments

The Remote Desktop Services Management Pack uses the agent action account to perform discovery and to run rules, tasks, and monitors. The agent action account can run as Local System or as a named account. When running as Local System, the agent action account has all the privileges needed to discover objects and to run rules, tasks, and monitors.

To use the Remote Desktop Services Management Pack in a low-privilege environment, the account must have the following privileges on the target computer:

• Must be a member of the local users group

• Must be a member of the local Performance Monitor users group

• Must be granted the Log On Locally user right

Computer groups

You can delegate authority to a precise level with user roles. For more information about user roles, see Role-based Security in Operations Manager 2007 on Microsoft TechNet.

In the Remote Desktop Services Management Pack, you can scope and authorize roles by using the Remote Desktop Services Computer Group, which is a group that contains all computers running Remote Desktop Services.

Agentless monitoring

You can use the Remote Desktop Services Management Pack to monitor agentless-managed computers. However, to run a task on an agentless-managed computer, you must change the action account to an account that has access to the target computer.