We're no longer updating this content regularly. Check the Microsoft Product Lifecycle for information about how this product, service, technology, or API is supported.
You will need to provide credentials for the following accounts during the installation of the Service Manager and data warehouse management servers.
Note
The user and group accounts required for the installation of Service Manager must reside in the Users OU in Active Directory.
Accounts Used During the Installation of a Service Manager Management Server
Account
Permissions
How It Is Used In Service Manager
Management group administrators
Must be a domain user or group.
Important
The user account that is logged into the computer during installation of an initial Service Manager management server is automatically added to this group.
Added to the Service Manager Administrators user role.
Service Manager services account
Must be a domain user or group.
Must be member of local administrators.
Becomes the Operational System Account.
Assigned to the log on account for the System Center Data Access Service.
Assigned to the log on account for System Center Management Configuration service.
Becomes a member of the sdk_users and configsvc_users database roles for the Service Manager database.
If you change the credentials for these two services, you need to make sure that the new account has a SQL Login in the ServiceManager database and that this account is a member of the Builtin\Administrators group.
Workflow account
Must be a domain user or group.
Must have permissions to send e-mail and must have a mailbox on the SMTP server (required for the E-mail Incident feature).
Must be member of Users local security group.
Must be made a member of the Service Manager Administrators user role in order for e-mail notifications for function properly.
This account is used for all workflows and is made a member of the Service Manager Workflows user role.
Security Best Practices for Accounts
When assigning Active Directory accounts for use with Service Manager Run As Accounts, it is a best practice to use service accounts. We strongly recommend against using Active Directory user accounts associated with individual people.
Accounts Used During the Installation of the Data Warehouse Management Server
Account
Permissions
How It Is Used In Service Manager
Management group administrators
Must be a domain user or group.
Added to the data warehouse administrators user role.
Service Manager account
Must be a domain user or group.
Must be member of local administrators on the data warehouse management server.
Becomes the data warehouse system Run As account.
Assigned to ServiceManager SDK Service account.
Assigned to ServiceManager Config account.
Becomes a member of the sdk_users and configsvc_users database roles for the DWDataMart database.
Becomes a member of the db_datareader database role for the DWRepository database.
Becomes a member of the configsvc_users database role for the Service Manager database.
Reporting account
Must be a domain account.
Used by SQL Server Reporting Services to access the DWDataMart database to get data for reporting.
Becomes a member of the db_datareader database role for the DWDataMart database.
Becomes a member of the reportuser database role for the DWDatamart database.
Registering the Service Manager Management Group with Data Warehouse Management Group
As part of the installation process, you will register the Service Manager management group with the data warehouse management group. During this process, you will be prompted to provide credentials. The account credentials you provide must be a domain account. Furthermore, you will need to provide an account with the following permissions.
Must be a member of the Administrator user role in both the Service Manager and data warehouse management groups.
Must be a member of the users local administrator group on the data warehouse management server.
Accounts Required for Creating Connectors
When creating connectors, you will be asked for credentials that the connector will use to perform its function. The following table outlines the permissions that this account will need and describes best practices for high security.
Operations Manager 2007 Alert Connector
Permissions
Best Practices
Must be a domain account.
Must be a member of the Users local security group on the Service Manager management server.
Must be an Operations Manager 2007 Administrator.
Domain account specifically created for this purpose that is only in the Users local security group and in an Administrator user role in Operations Manager and in an Advanced Operator user role in Service Manager.
Operations Manager 2007 CI Connector
Permissions
Best Practices
Must be a domain account.
Must be a member of the Users local security group on the management server.
Must be an Operations Manager 2007 Operator.
Domain account specifically created for this purpose that is only in the Users local security group and in an Operator user role in Operations Manager and in an Advanced Operator user role in Service Manager.
Active Directory Connector
Permissions
Best Practices
Must be a domain account.
Must be a member of the Users local security group on the Service Manager management server.
Must have permissions to bind to the domain controller that the connector will read data from.
Needs generic read rights on the objects that are being synchronized into the Service Manager database from Active Directory.
Domain account specifically created for this purpose that is only in the Users local security group and in an Advanced Operator user role in Service Manager and has read-only permissions in Active Directory.
Configuration Manager 2007 Connector
Permissions
Best Practices
Must be a domain account.
Must be a member of the Users local security group on the Service Manager management server.
Domain account specifically created for this purpose that is only in the Users local security group, must be a member of the smsdbrole_extract and db_datareader on the System Center Configuration Manager database, and in an Advanced Operator user role in Service Manager.
Did you find this information helpful? Please send your suggestions and comments about System Center Service Manager documentation to scsmdocs@microsoft.com.