Account Information for Operations Manager 2007

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

During the setup and operation of Operations Manager 2007, you will be asked to provide credentials for several accounts. The beginning of this section provides information about action accounts. Information about other accounts, such as SDK and Config Service, Agent Installation, Data Warehouse Write, and Data Reader accounts, is included.

What Is an Action Account?

The various Operations Manager 2007 server roles, root management server, management server, gateway server, and agent, all contain a process called MonitoringHost.exe. MonitoringHost.exe is what each server role uses to accomplish monitoring activities, such as executing a monitor or running a task. For example, when an agent subscribes to the event log to read events, it is the MonitoringHost.exe process that runs those activities. The account that a MonitoringHost.exe process runs as is called the action account. The action account for the MonitoringHost.exe process running on an agent is called the agent action account. The action account used by the MonitoringHost.exe process on a management server is called the management server action account. The action account used by the MonitoringHost.exe process on a gateway server is called the gateway server action account.

Agent Action Account

Unless an action has been associated with a Run As Profile, the credentials used to perform the action will be those defined for the action account. For more information about the Run As Profile, see Run As Accounts and Run As Profiles in Operations Manager 2007 in this guide. Some examples of actions include the following:

  • Monitoring and collecting Windows event log data

  • Monitoring and collecting Windows performance counter data

  • Monitoring and collecting Windows Management Instrumentation (WMI) data

  • Running actions such as scripts or batches

MonitoringHost.exe is the process that runs these actions using the credentials specified in the action account. A new instance of MonitoringHost.exe is created for each account.

Using a Low-Privileged Account

When you install Operations Manager 2007, you can choose one of two options while assigning the action account:

  • Local System

  • Domain or Local Account

A common approach is to specify a domain account, which allows you to select a user with the least amount of privileges necessary for your environment.

On computers running Windows Server 2003, Windows Server 2003 R2, and the Windows Vista operating system, the default action account must have the following minimum privileges:

  • Member of the local Users group

  • Member of the local Performance Monitor Users group

  • Allow log-on-locally permission (SetInteractiveLogonRight)

Important

The minimum privileges described above are the lowest privileges that Operations Manager 2007 supports for the action account. Other Run As Accounts can have lower privileges. The actual privileges required for the Run As Accounts depend upon which management packs are running on the computer and how they are configured. For more information about which specific privileges are required, see the appropriate management pack guide.

Keep the following points in mind when choosing credentials for the action account:

  • A low-privileged account can be used only on computers running Windows Server 2003, Windows Server 2003 R2, and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System.

  • A low-privileged account is all that is necessary for agents that are used to monitor domain controllers.

  • Using a domain account requires password updating consistent with your password expiration policies.

  • You must stop and then start System Center Management service if the action account has been configured to use a low-privilege account and the low-privilege account was added to the required groups while the System Center Management service was running.

Notification Action Account

The Notification Action Account is a Run As Account that is created by the user to configure notifications. This is the action account that is used for creating and sending notifications. Ensure that the credentials you use for this account have sufficient rights for the SMTP server, instant messaging server, or SIP server that you will use for notifications.

If you change the password for the credentials you entered for the Notification Action Account, you will need to make the same password changes for the Run As Account.

Managing Action Account Credentials

For the account you choose, Operations Manager will determine what the password expiration date is and generate an alert 14 days before the account expires. When you change the password in Active Directory, you can change the password for the action account in Operations Manager on the Account tab on the Run As Account Properties page. For more information about managing the action account credentials, see How to Change the Credentials for the Action Account in Operations Manager (https://go.microsoft.com/fwlink/?LinkId=88304).

You can use a Windows PowerShell script, set-ActionAccount.ps1, to set the action account on multiple computers. For more information see the SC Ops Mgr 2007 Resource Kit (https://go.microsoft.com/fwlink/?LinkId=92596). The script allows you to set the action account on all of the computers defined in a computer group. See How to Set the Action Account on Multiple Computers in Operations Manager 2007 in the Security Guide.

SDK and Config Service Account

The SDK and Config Service account is one set of credentials that is used by the System Center Data Access service and System Center Management Configuration service to update and read information in the Operations Manager database. Operations Manager ensures that the credentials used for the SDK and Configuration action account will be assigned to the sdk_user role in the Operations Manager database. The SDK and Config Service account can be configured as either Local System or as a domain account. A Local User account is not supported.

If the root management server and the Operations Manager database are on different computers, the SDK and Config Service account will need to be changed to a domain account. For better security, we recommend that you use an account different from the one used for the management server action account. To change these accounts, see the Knowledge Base article How to change the credentials for the OpsMgr SDK Service and for the OpsMgr Config Service in Microsoft System Center Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=112435).

Agent Installation Account

When implementing discovery-based agent deployment, you are prompted for an account with administrator user rights. This account is used to install the agent on the computer, and therefore it must be a local administrator on all the computers you are deploying agents to. The management server action account is the default account for agent installation. If the management server action account does not have administrator rights, select Other user account and type an account with administrator rights. This account is encrypted before being used and then discarded.

Data Warehouse Write Account

The Data Warehouse Write Account writes data from the root management server or management server to the Reporting data warehouse and reads data from the Operations Manager database. The credentials you supply for this account will be made a member of the roles according to the application, as described in the following table.

Application Database/Role Role/Account

Microsoft SQL Server 2005

OperationsManager

db_datareader

Microsoft SQL Server 2005

OperationsManager

dwsync_user

Microsoft SQL Server 2005

OperationsManagerDW

OpsMgrWriter

Microsoft SQL Server 2005

OperationsManagerDW

db_owner

Operations Manager 2007

User Role

Operations Manager Report Security Administrators

Operations Manager 2007

Run As Account

Data Warehouse Action Account

Operations Manager 2007

Run As Account

Data Warehouse Configuration Synchronization Reader Account

If you change the password for the credentials you entered for the Data Warehouse Write account, you will need to make the same password changes for the following accounts:

  • Run As Account called Data Warehouse Action Account

  • Run As Account called Data Warehouse Configuration Synchronization Reader Account

Data Reader Account

This account is used to deploy reports, define what user the SQL Reporting Services uses to run queries against the Reporting data warehouse, and for the SQL Reporting Services IIS Application Pool account to connect to the root management server. This account is added to the Report Administrator User Profile.

The credentials you supply for this account will be made a member of the roles according to the application, as described in the following table.

Application Database/Role Role/Account

Microsoft SQL Server 2005

Reporting Server Installation Instance

Report Server Execution Account

Microsoft SQL Server 2005

OperationsManagerDW

OpsMgrReader

Operations Manager 2007

User Role

Operations Manager Report Security Administrators

Operations Manager 2007

User Role

Operation Manager Report Operators

Operations Manager 2007

Run As Account

Data Warehouse Report Deployment Account

IIS

 Application Pool

ReportServer$<INSTANCE>

Windows Service

SQL Server Reporting Services

Log On account

If you change the password for the credentials you entered for the Data Reader account, you will need to make the same password changes for the following accounts:

  • Report Server Execution Account

  • The SQL Server Reporting Services service account on the computer hosting SQL Server Reporting Services (SRS)

  • The IIS ReportServer$<INSTANCE> Application Pool account

  • Run As Account called Data Warehouse Report Deployment Account

See Also

Tasks

How to Change the Reporting Server Execution Account Password in Operations Manager 2007
How to Change the SDK and Config Service Accounts in Operations Manager 2007
How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007
How to Set the Action Account on Multiple Computers in Operations Manager 2007