question

DavidZemdegs avatar image
0 Votes"
DavidZemdegs asked CyrAz edited

SCOM action accounts - install agent

According to the docs, discovery and installation of the agent is done by the 'Management Server Action Account'. But the docs do not say where to find or how to create such an account.
In my accounts section, I have two action accounts - one is a domain service account and the other is the builtin system account. Is one of these the 'Management Server Action Account?'. If one is then it needs to be a local administrator on all my servers in order to install the agent?
Currently I have to supply my own account to discover and install and was looking to set up another account to do that but the docs arent clear on how to do that.
Thanks
David

msc-operations-manager
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

6 Answers

AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered

I believe you are correct. The action account needs to be local admin for remote install. It is common to use alternate credentials with the deployment wizard when this is not the case. That or deploy the agent using SCCM.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

So by default, which action account does it use? There is nothing in my console that specifically says 'Management Server Action Account'.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered

If you look at the RunAs account configuration in the Administration workspace, it is the only configured domain account. This will be the default account used for all SCOM actions.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered CyrAz commented

So you either give that account admin access to all servers or you add another account which has that access as an action account?

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrAz avatar image CyrAz ·

No, forget about it and use alternative credentials in the wizard or use a deployment tool such as sccm as already suggested.
You should never ever grant admin permissions to all your monitored servers to the MS Action Account.
Even if it's the default option in the wizard, it's a terrible security practice.

0 Votes 0 ·
GeorgeMoise-0315 avatar image
1 Vote"
GeorgeMoise-0315 answered

If you want to identify the Default Action Account for a specific Management Server / Agent in SCOM (meaning the credentials that the Health Service on that server will use by default to run it's workflows, unless another profile is specified on the workflow), you can go to Administration --> Run As Profiles --> open the Default Action Account profile and then in the Run As Accounts tab of that pop-up, you can search for your Server and see which Run As Account is mapped as Default Action Account for the Server.

Indeed, is a bad security practice to provide Local Administrator permissions of the SCOM Action Account (which is probably the default action account on your Management Servers) on the servers you target with the discovery wizard. The recommendation here is to specify alternative credentials in the Discovery Wizard and use an account with Local Admin persmissions.

BR,
George

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered CyrAz edited

Thanks - Ill probably use MEMCM to deploy the client.
Im still puzzled as per my original question.

"According to the docs, discovery and installation of the agent is done by the 'Management Server Action Account'. "

I know that the default action account used on clients to run monitors and rules is the Local System account. But thats not the account used to install the agent. That, according to the docs, is the 'Management Server Action Account'. When looking in the console at the action accounts, none of them say 'Management Server Action Account'.
What's even more confusing is that the domain based action account description says that it runs the rules when that is not true - its the local system account. So what is the domain based action account used for?

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrAz avatar image CyrAz ·

That's because there actually is only one "Default Action Account" RunAs profile.
That profile defines the default accounts used to run workflows on the agents, when no specific other RunAs is defined.
On regular monitored servers, this account is usually Local System.
On Management Servers (which also run the agent), it's usually a domain account. So the "Manager Server Action Account" is the account defined for the Management Servers in the "Default Action Account" profile.
You can see the differences between Management Servers and regular monitored servers by having a look at the RunAs accounts listed inside the Default Action Account profile.

And I will definitely agree that using "account" in the name of a profile is confusing.

0 Votes 0 ·
DavidZemdegs avatar image DavidZemdegs CyrAz ·

Thanks - The Default Action account profile lists the local system account.
But there is no Default Installation account.
The discovery wizard separates the installation from the account that runs the healthservice rules etc.
So what is the 'Default installation account' used by the discovery wizard?

0 Votes 0 ·
CyrAz avatar image CyrAz DavidZemdegs ·

Well the default installations account is the account listed in the default action account profile for the management servers.
So if the management servers are associated with the local system account inside the default action account profile, then management servers' local system account is your default installation account (and will obviously have no permission on the servers you're trying to push the agent to)

0 Votes 0 ·