SCOM 2012 Required Accounts -revisit

Forum: Operations Manager4
Viewing 12 posts - 1 through 12 (of 12 total)
  • #111712

    Bryan Heath
    Participant

    I was going to reply to my previous thread but I keep getting into a loop of “you must me logged in” and I can’t seem edit the previous post.  I feel like Microsoft needs to be a bit clearer with what they are asking for.

    Account
    Description
    Permissions

    Management server action account
    This account is used to carry out actions on monitored computers across a network connection.
    To save time, specify a domain-based account. We recommend that you create an account for this purpose that has local administrative credentials. You should not use an account that has domain administrative credentials.

    System Center Configuration service and System Center Data Access service account
    This account is one set of credentials that is used to update and read information in the operational database. Operations Manager ensures that the credentials used for the System Center Data Access service and System Center Configuration service account are assigned to the sdk_user role in the operational database.
    This account can be configured as either Local System or as a domain account. The account must have local administrative credentials. For cases where the operational database is hosted on a remote computer that is not a management server, a domain account must be used. For better security, we recommend that you use an account different from the one used for the management server action account.

    Data Warehouse Write account
    The Data Warehouse Write account writes data from the management server to the Reporting data warehouse and reads data from the operational database.
    This account is assigned write permissions on the Data Warehouse database and read permissions on the operational database.

    Note

    Ensure that the account you plan to use for the Data Warehouse Write account has SQL Server Logon rights and has logon rights for the computers hosting both the operational database and the reporting data warehouse. Otherwise, Setup fails, and all changes are rolled back. This might leave SQL Server Reporting Services in an inoperable state. 

     

    Data Reader account
    The Data Reader account is used to define which account credentials SQL Server Reporting Services uses to run queries against the Operations Manager reporting data warehouse.
    The account should be configured as a domain account.

    Note

    Ensure that the account you plan to use for the Data Reader account has SQL Server logon rights and Management Server logon rights.

    Management server action account: This account is used to carry out actions on monitored computers across a network connection. Permissions: To save time, specify a domain-based account. We recommend that you create an account for this purpose that has local administrative credentials. You should not use an account that has domain administrative credentials.

    This does not really state where the local admin rights should be. It leave me to assume but it is not clear. It sounds as if it might be needed on all systems being monitored.

    Data Warehouse Write account: and has logon rights for the computers hosting both the operational database and the reporting data warehouseAm I to assume local users group? I have even seen this account given admin rights on the DB server in some posts.

    Data Reader Account: and Management Server logon rights.  Am I to assume local user on all MS?

    How is it that the technical documentation can be so ambiguous? Does Microsoft expect me to buy book or rely on the user community? Pehaps they could just CLEARLY state what they are looking for with some examples…

     

    http://technet.microsoft.com/en-us/library/hh298609.aspx

    #111726

    Bryan Heath
    Participant

    I sent an email to TechNet as well as a contact at Microsoft who might be able to give me insight on getting the documentation fixed. I also sent a request to connect.microsoft.com We shall see.

    #219401

    Dave Dannenbrink
    Participant

    Bryan – Did you ever get these account questions answered?  I agree the documentation is not clear on permissions needed for this setup.

    #229476

    Tony
    Participant

    Morning,

    So could you please help me understand which account is used to deploy/install the agent via discovery?

    Really need assistance on this one! Yes, new to SCOM 2012R2.

    Thanks!!

    Tony

     

    #229480

    Wilson W.
    Participant

    Tony, the SCOM agent action account is used to deploy the SCOM agent. You can also specify alternate credentials of your choosing when doing an agent discovery.

    #229482

    Tony
    Participant

    Thanks for the response Wilson! So not to intentionally sound dumb, but looking under Administration,Run As Configurationin,Accounts and Profiles, I do not see any item labeled as such or described as such. Under Accounts there are items in Type:Action Account and Type:Windows but that is it.

    I suppose from other things I have read I need to provide credentials when choosing to use the discovery wizard to deploy agents, as the default radio button selection of:”Use Selected Management Server Action Account” is not really of any use here…..??

    Thanks again,

    Tony

     

    #229483

    Wilson W.
    Participant

    An easy way to find out which account is defined as your action account is to go to the admin tab in the SCOM console. Go to management servers and then look to see what account is defined under the “action account” column. If that column isn’t there, then right click on the column headings, choose personalize and then select action account.

    Your SCOM action account is the account that you use to run SCOM workflows and needs rights to your monitored systems so that you can push the SCOM agent to them. You may need to specify different accounts for servers that are in different trusted domains.

    #229509

    Sean P. Tompkins
    Participant

    In SCOM 2012, the action account the agent or server runs under can be found at:

    Administration
    – Run As Configuration
    — Profiles
    — Default Action Account

    In the wizard for Default Action Account, go to the “Run-As Accounts” tab, and listed will be every agent and server, and the default action account for that device.

     

    #231025

    Xuan Sealy
    Participant

    It is interesting to read your blog post and I am going to share it with my friends.

    Herbew Fentos

    #231224

    AndreaDelay
    Participant

    Right, I also noticed here that the people ask the question and then go offline I think if the ask one thing they should stay here logged in buy essays uk and wait for the answer, it is the way to get your confusion solve.

    #231291

    ProHomeworkHelp
    Participant

    You must now not use an account that has area administrative credentials. or cases in which the operational database is hosted on a remote laptop that is not always a control server a website account Get Your Homework Done Online need to be used. This account is assigned write permissions at the information Warehouse database and study permissions on the operational database. The facts Warehouse Write account has square Server Logon rights and has logon rights for the computers website hosting each the operational database.

    #232523

    sadashiv
    Participant

    Thanks for such useful post.

    whatsapp video download

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.