This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 23%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Hi,
Can we disable interactive-logons for SCOM SQL service accounts.
Will this casue any issue in SCOM?
Thanks,
Sreejeet
Hi @sreejeet nambiar ,
that is correct and this is also clearly listed here:
Enable Service Log on for run as accounts
Earlier version of Operations Managers has Allow log on locally as the default log on type. Operations Manager 2019 uses Service Log on by default. This leads to the following changes:
Health service uses log on type Service by default. Operations Manager 1807 and earlier versions, it was Interactive.
Operations Manager action accounts and service accounts now have Log on as a Service permission.
Action accounts and Run As accounts must have Log on as a Service permission to execute MonitoringHost.exe.
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Best regards,
Stoyan
Hi Sreejeet,
it depends on the MP you are using. Can you please post the MP version you are using to monitor SQL? Is this the new, server agnostic MP? If this is the case, then the account needs "Allow Logon Locally" or otherwise monitoring will not work. Here is the information from the official MP guide:
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Regards,
Stoyan
Hi Stoyan,
Thank you for the reply!
I would also like to know can we disable interactive-logons for service accounts used by SCOM Database and Datawarehouse/Reporting Servers.
One example, these Service accounts are used in SCOM for reading/ writing to SCOM Database/Datawarehouse etc.
In short, I see these these service accounts are used by the SQL services (Services.msc) running on SCOM Database and Datawarehouse.
Thanks,
Sreejeet
Hi @sreejeet nambiar ,
So the service accounts, which are used to run the SQL Server Agent and the SQL Database Engine ****do not require** "Allow Logon Locally**", but they are granted the "Logon as a Service" (SeServiceLogonRight) (not Allow Logion locally) permission by the SQL Server Setup. This is clearly stated here:
Here also a screenshot from the article:
This applies to all SQL DB Engines, which are hosting your databases.
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Regards,
Stoyan
Hi Sreejeet,
a couple of importand detials in addition to my previous reply.
The SCOM Data Reader Account, as well as all SCOM Admin (in SCOM 2019) need thise same (Logon as a Service) right also. This is well described by Kevin Holman and there is also a Management Pack, which he created to make easier for Admins to set this permission. Here are the details:
Security changes in SCOM 2019 – Log on as a Service
and here is the article, presenting the MP:
SCOM 2019 Log On As A Service Management Pack Helper
Those details are nicely described also here:
Enable Service Log on for run as accounts
and particular they mention the changes in SCOM 2019, compared to the previous versions:
System Center 2019 - Operations Manager supports hardening of service accounts and does not require granting the Allow log on locally user right for several accounts, required in support of Operations Manager.
Earlier version of Operations Managers has Allow log on locally as the default log on type. Operations Manager 2019 uses Service Log on by default.
This being said there is a great overview of all SCOM (not SQL though) account permissions needed and it again comes from Kevin Holman:
SCOM 2019 Security Account Matrix
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Regards,
Stoyan
Hi Stoyan,
Thank you for the reply.
So I understand from your reply that for SCOM 2019 interactive-logons for SCOM SQL service accounts are not required, however for SCOM 2012 R2 it needs interactive-logons (Allow log on locally (SetInteractiveLogonRight) permission) for SCOM SQL service accounts . Am I correct?
Regards,
Sreejeet