About service accounts

  • Article

Applies To: Forefront Client Security

This topic provides steps for identifying service accounts, changing service account passwords, and updating the services after you've changed service account passwords.

It is recommended that you change the passwords assigned to accounts that run services. When you change a service account password, you must perform the applicable procedures listed later in this topic. For example, if you use a single account for the action account, DTS account, and DAS account, you must perform the procedure associated with each account to keep Client Security operating correctly.

This topic provides steps for identifying the accounts that run services.

The service accounts used by Client Security are as follows:

  • Reporting

  • Data Access Server (DAS)

  • Data Transformation Services (DTS)

  • Action

Determining service accounts in use

To determine the reporting account

  1. In a browser, open the Report Manager. The following URL is the default:

    https:// ReportingServer /Reports/Pages/Folder.aspx

  2. Click Microsoft Operations Manager Reporting, and then click Microsoft Forefront Client Security.

  3. Click OnePoint, and then under Credentials stored securely in the report server, locate the service account in the User name field.

  4. In the browser, click the back button to navigate back to the Microsoft Forefront Client Security page. Click SystemCenterReporting, and then under Credentials stored securely in the report server, locate the service account in the User name field.

Note

Both service accounts should be the same.

To determine the DAS account

  1. On the Client Security collection server, open Administrative Tools, and then click Component Services.

  2. Under Console Root, double-click Component Services, double-click Computers, double-click My Computer, and then double-click COM+ Applications.

  3. Right-click Microsoft Operations Manager Data Access Server, and then click Properties.

  4. Click the Identity tab, and then view the User text box for the service account name.

To determine the DTS account

  1. On the Client Security reporting server, open Control Panel, open Scheduled Tasks, and then open SystemCenterDTSPackageTask.

  2. On the Task tab, view the Run as text box for the service account name.

To determine the action account

  1. On the Client Security collection database server, open a Command Prompt window and then change to the MOM installation folder. The default installation location is:

    C:\Program Files\Microsoft Forefront\Client Security\Server\Microsoft Operations Manager 2005

  2. Run the following command:

    SetActionAccount.ext <ConfigurationGroup> -query

    The default query is SetActionAccount.exe ForefrontClientSecurity -query; however,use the configuration group name you specified when you installed Client Security.

Updating service account passwords

To update the reporting database server with the new reporting password

  1. On the server with the Client Security reporting database, perform the following steps:

    1. Open the Reporting Services Configuration tool, select the instance name of the Client Security reporting database, and click Select. For more information, see How to: Start Reporting Services Configuration (https://go.microsoft.com/fwlink/?LinkId=86669).

    2. Click Windows Service Identity and ensure that the Windows Account button is selected.

    3. Verify that the service account name in the Account box is correct.

    4. Enter the new password in the Password box and click Apply. After the updated password is saved, click Exit.

Note

It is possible that additional service accounts may be in use due to configuration choices made during the setup process. It is recommended that you repeat the above steps for each item in the left pane and enter the corresponding new password for each service account.

  1. On the Client Security management server, perform the following steps:

    1. Access the Client Security dashboard. For more information, see Accessing the dashboard.

    2. On the Action menu, click Configure.

      The Microsoft Forefront Client Security Configuration wizard opens.

    3. Complete the wizard, and be sure to provide the new reporting password on the Reporting Database page.

      If the DAS account password has changed and you have not performed the preceding procedure, the wizard cannot complete all steps successfully.

  2. Verify your work by viewing Client Security reports, such as the Security Summary report. For more information, see Viewing and printing reports. If you cannot view the reports, repeat this procedure.

To update the collection server with the new action account password

  1. On the Client Security collection server, open a Command Prompt window and change to the MOM installation directory. The default installation location is:

    C:\Program Files\Microsoft Forefront\Client Security\Server\Microsoft Operations Manager 2005

  2. Run the following command:

SetActionAccount.exe management-group ** -set ** domain   username   password

The default management group is ForefrontClientSecurity; however, use the management group name you specified when you installed Client Security.

Note

The SetActionAccount.exe command does not support passwords that contain spaces.

You must run the SetActionAccount.exe command as a user in the same domain as the domain specified in the domain parameter.

The SetActionAccount.exe verifies the password you provided. If the command fails, repeat this step.

To update the reporting server with the new DTS password

  1. On the Client Security reporting server, access Control Panel, open Scheduled Tasks, and open SystemCenterDTSPackageTask.

  2. The SystemCenterDTSPackageTask dialog box appears.

  3. On the Task tab, click Set password. Type the new password in the Password and Confirm password boxes.

  4. Click OK in the Password dialog box, and then click OK to close the dialog box.

    Verify this step by running the SystemCenterDTSPackageTask manually. To do so, right-click the task and click Run. If the task fails, repeat this step.

Note

It is recommended that you run this task at a time of low network usage, such as after core business hours.

To update the collection server with the new DAS password

  1. On the Client Security collection server, access Administrative Tools and click Component Services.

  2. Under Console Root, double-click Component Services, double-click Computers, double-click My Computer, and then double-click COM+ Applications.

  3. Right-click Microsoft Operations Manager Data Access Server and click Properties.

  4. Click the Identity tab. Type the new password in the Password and Confirm password boxes and click OK.

    The COM+ Application user interface validates the password.