About service accounts
Applies To: Forefront Client Security
This topic provides steps for identifying service accounts, changing service account passwords, and updating the services after you've changed service account passwords.
It is recommended that you change the passwords assigned to accounts that run services. When you change a service account password, you must perform the applicable procedures listed later in this topic. For example, if you use a single account for the action account, DTS account, and DAS account, you must perform the procedure associated with each account to keep Client Security operating correctly.
This topic provides steps for identifying the accounts that run services.
The service accounts used by Client Security are as follows:
Reporting
Data Access Server (DAS)
Data Transformation Services (DTS)
Action
Determining service accounts in use
To determine the reporting account
In a browser, open the Report Manager. The following URL is the default:
https:// ReportingServer /Reports/Pages/Folder.aspx
Click Microsoft Operations Manager Reporting, and then click Microsoft Forefront Client Security.
Click OnePoint, and then under Credentials stored securely in the report server, locate the service account in the User name field.
In the browser, click the back button to navigate back to the Microsoft Forefront Client Security page. Click SystemCenterReporting, and then under Credentials stored securely in the report server, locate the service account in the User name field.
Note
Both service accounts should be the same.
To determine the DAS account
On the Client Security collection server, open Administrative Tools, and then click Component Services.
Under Console Root, double-click Component Services, double-click Computers, double-click My Computer, and then double-click COM+ Applications.
Right-click Microsoft Operations Manager Data Access Server, and then click Properties.
Click the Identity tab, and then view the User text box for the service account name.
To determine the DTS account
On the Client Security reporting server, open Control Panel, open Scheduled Tasks, and then open SystemCenterDTSPackageTask.
On the Task tab, view the Run as text box for the service account name.
To determine the action account
On the Client Security collection database server, open a Command Prompt window and then change to the MOM installation folder. The default installation location is:
C:\Program Files\Microsoft Forefront\Client Security\Server\Microsoft Operations Manager 2005
Run the following command:
SetActionAccount.ext <ConfigurationGroup> -query
The default query is SetActionAccount.exe ForefrontClientSecurity -query; however,use the configuration group name you specified when you installed Client Security.
Updating service account passwords
To update the reporting database server with the new reporting password
On the server with the Client Security reporting database, perform the following steps:
Open the Reporting Services Configuration tool, select the instance name of the Client Security reporting database, and click Select. For more information, see How to: Start Reporting Services Configuration (https://go.microsoft.com/fwlink/?LinkId=86669).
Click Windows Service Identity and ensure that the Windows Account button is selected.
Verify that the service account name in the Account box is correct.
Enter the new password in the Password box and click Apply. After the updated password is saved, click Exit.
Note
It is possible that additional service accounts may be in use due to configuration choices made during the setup process. It is recommended that you repeat the above steps for each item in the left pane and enter the corresponding new password for each service account.
On the Client Security management server, perform the following steps:
Access the Client Security dashboard. For more information, see Accessing the dashboard.
On the Action menu, click Configure.
The Microsoft Forefront Client Security Configuration wizard opens.
Complete the wizard, and be sure to provide the new reporting password on the Reporting Database page.
If the DAS account password has changed and you have not performed the preceding procedure, the wizard cannot complete all steps successfully.
Verify your work by viewing Client Security reports, such as the Security Summary report. For more information, see Viewing and printing reports. If you cannot view the reports, repeat this procedure.
To update the collection server with the new action account password
On the Client Security collection server, open a Command Prompt window and change to the MOM installation directory. The default installation location is:
C:\Program Files\Microsoft Forefront\Client Security\Server\Microsoft Operations Manager 2005
Run the following command:
SetActionAccount.exe management-group ** -set ** domain username password
The default management group is ForefrontClientSecurity; however, use the management group name you specified when you installed Client Security.
Note
The SetActionAccount.exe command does not support passwords that contain spaces.
You must run the SetActionAccount.exe command as a user in the same domain as the domain specified in the domain parameter.The SetActionAccount.exe verifies the password you provided. If the command fails, repeat this step.
To update the reporting server with the new DTS password
On the Client Security reporting server, access Control Panel, open Scheduled Tasks, and open SystemCenterDTSPackageTask.
The SystemCenterDTSPackageTask dialog box appears.
On the Task tab, click Set password. Type the new password in the Password and Confirm password boxes.
Click OK in the Password dialog box, and then click OK to close the dialog box.
Verify this step by running the SystemCenterDTSPackageTask manually. To do so, right-click the task and click Run. If the task fails, repeat this step.
Note
It is recommended that you run this task at a time of low network usage, such as after core business hours.
To update the collection server with the new DAS password
On the Client Security collection server, access Administrative Tools and click Component Services.
Under Console Root, double-click Component Services, double-click Computers, double-click My Computer, and then double-click COM+ Applications.
Right-click Microsoft Operations Manager Data Access Server and click Properties.
Click the Identity tab. Type the new password in the Password and Confirm password boxes and click OK.
The COM+ Application user interface validates the password.