SCOM 2012 Required Accounts -revisit

Forum: Operations Manager4
Viewing 9 posts - 1 through 9 (of 9 total)
  • #111712
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    I was going to reply to my previous thread but I keep getting into a loop of “you must me logged in” and I can’t seem edit the previous post.  I feel like Microsoft needs to be a bit clearer with what they are asking for.

    Account
    Description
    Permissions

    Management server action account
    This account is used to carry out actions on monitored computers across a network connection.
    To save time, specify a domain-based account. We recommend that you create an account for this purpose that has local administrative credentials. You should not use an account that has domain administrative credentials.

    System Center Configuration service and System Center Data Access service account
    This account is one set of credentials that is used to update and read information in the operational database. Operations Manager ensures that the credentials used for the System Center Data Access service and System Center Configuration service account are assigned to the sdk_user role in the operational database.
    This account can be configured as either Local System or as a domain account. The account must have local administrative credentials. For cases where the operational database is hosted on a remote computer that is not a management server, a domain account must be used. For better security, we recommend that you use an account different from the one used for the management server action account.

    Data Warehouse Write account
    The Data Warehouse Write account writes data from the management server to the Reporting data warehouse and reads data from the operational database.
    This account is assigned write permissions on the Data Warehouse database and read permissions on the operational database.

    Note

    Ensure that the account you plan to use for the Data Warehouse Write account has SQL Server Logon rights and has logon rights for the computers hosting both the operational database and the reporting data warehouse. Otherwise, Setup fails, and all changes are rolled back. This might leave SQL Server Reporting Services in an inoperable state. 

     

    Data Reader account
    The Data Reader account is used to define which account credentials SQL Server Reporting Services uses to run queries against the Operations Manager reporting data warehouse.
    The account should be configured as a domain account.

    Note

    Ensure that the account you plan to use for the Data Reader account has SQL Server logon rights and Management Server logon rights.

    Management server action account: This account is used to carry out actions on monitored computers across a network connection. Permissions: To save time, specify a domain-based account. We recommend that you create an account for this purpose that has local administrative credentials. You should not use an account that has domain administrative credentials.

    This does not really state where the local admin rights should be. It leave me to assume but it is not clear. It sounds as if it might be needed on all systems being monitored.

    Data Warehouse Write account: and has logon rights for the computers hosting both the operational database and the reporting data warehouseAm I to assume local users group? I have even seen this account given admin rights on the DB server in some posts.

    Data Reader Account: and Management Server logon rights.  Am I to assume local user on all MS?

    How is it that the technical documentation can be so ambiguous? Does Microsoft expect me to buy book or rely on the user community? Pehaps they could just CLEARLY state what they are looking for with some examples…

     

    http://technet.microsoft.com/en-us/library/hh298609.aspx

    #111726
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    I sent an email to TechNet as well as a contact at Microsoft who might be able to give me insight on getting the documentation fixed. I also sent a request to connect.microsoft.com We shall see.

    #219401
    Profile photo of Dave Dannenbrink
    Dave Dannenbrink
    Participant

    Bryan – Did you ever get these account questions answered?  I agree the documentation is not clear on permissions needed for this setup.

    #229476
    Profile photo of Tony
    Tony
    Participant

    Morning,

    So could you please help me understand which account is used to deploy/install the agent via discovery?

    Really need assistance on this one! Yes, new to SCOM 2012R2.

    Thanks!!

    Tony

     

    #229480
    Profile photo of Wilson W.
    Wilson W.
    Participant

    Tony, the SCOM agent action account is used to deploy the SCOM agent. You can also specify alternate credentials of your choosing when doing an agent discovery.

    #229482
    Profile photo of Tony
    Tony
    Participant

    Thanks for the response Wilson! So not to intentionally sound dumb, but looking under Administration,Run As Configurationin,Accounts and Profiles, I do not see any item labeled as such or described as such. Under Accounts there are items in Type:Action Account and Type:Windows but that is it.

    I suppose from other things I have read I need to provide credentials when choosing to use the discovery wizard to deploy agents, as the default radio button selection of:”Use Selected Management Server Action Account” is not really of any use here…..??

    Thanks again,

    Tony

     

    #229483
    Profile photo of Wilson W.
    Wilson W.
    Participant

    An easy way to find out which account is defined as your action account is to go to the admin tab in the SCOM console. Go to management servers and then look to see what account is defined under the “action account” column. If that column isn’t there, then right click on the column headings, choose personalize and then select action account.

    Your SCOM action account is the account that you use to run SCOM workflows and needs rights to your monitored systems so that you can push the SCOM agent to them. You may need to specify different accounts for servers that are in different trusted domains.

    #229509
    Profile photo of Sean P. Tompkins
    Sean P. Tompkins
    Participant

    In SCOM 2012, the action account the agent or server runs under can be found at:

    Administration
    – Run As Configuration
    — Profiles
    — Default Action Account

    In the wizard for Default Action Account, go to the “Run-As Accounts” tab, and listed will be every agent and server, and the default action account for that device.

     

    #231025
    Profile photo of Xuan Sealy
    Xuan Sealy
    Participant

    It is interesting to read your blog post and I am going to share it with my friends.

    Herbew Fentos

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.