Security Considerations

Applies To: Operations Manager 2007, Windows Server 2012

You might need to customize your management pack. Certain accounts cannot be run in a low-privilege environment, or they must have minimum permissions.

Action Account

For each of the client-side monitoring scripts to run successfully, the Action Account must be a member of the Administrators group on both the computer on which the client management pack is running and the domain controller that is being monitored. The Action Account must also be a member of the Operations Manager Administrators group, which is configured through the Operations console in so that all the scripts that are configured on the Root Management Server can run properly.

AD MP Account

The AD MP Account Run As Profile is automatically created when you import the ADMP. This account is not needed if you are using the Action Account for ADMP operations. However, if you would prefer to use a different domain account to monitor Active Directory operations, you can utilize the ADMP Run As Profile by first creating a Run As Account and then adding that account to the AD MP Account Run As Profile.

Creating a Run As Account

Creating a Run As Account allows Operations Manager 2007 utilize the user account for monitoring.

To perform the procedures in this section, you must be a member of the Operations Manager Administrators group in the Operations console. For more information, see Account Information for Operations Manager 2007(http://go.microsoft.com/fwlink/?LinkId=165736).

To create a Run As Account

  1. On your management server, open the Operations Console, and then click Administration.

  2. In the navigation pane, right-click Security, and then click Create Run As Account.

  3. If the Introduction page of the Create Run As Account Wizard appears, click Next.

  4. On the General Properties page, ensure that Windows is selected for Run As Account type and for Display Name type ADMP. You can optionally type additional information in Description.

    Note

    You may type any name that you like for the Run As Account to use, the name ADMP is a suggested name and is used to make writing these directions more concise. If you type a different name, substitute that name for ADMP in any steps which make reference to the ADMP Run As Account.

  5. On the Credentials page, enter the user name of the account you designated for monitoring replication. Then, enter and confirm the passwords you set for the account. Click Next.

  6. Once the Run As account is created, click Close.

Add the Run As Account to the ADMP Run As Account Profile

The last major task enabling replication monitoring by an account other than the Action Account is to add the Run As account to the AD MP Account Run As Profile.

Adding the Run As Account to the Run As Profile

  1. In the Administration navigation pane of the Operations Console, click Profiles.

  2. In the Profiles pane, double-click AD MP Account.

  3. If the Introduction page of the Run As Profile Wizard appears, click Next.

  4. In Display name, confirm that AD MP Account appears as the name of the profile and then click Next.

  5. On the Run As Accounts page, click Add.

  6. In the Add a Run As Account dialog box, under Run As account, use the drop-down menu to select the Run As account you created previously.

  7. In This Run As Account will be used to manage the following objects, select A selected class, group, or object.

    Tip

    If you have created a group for all your domain controllers, then you may want to select that in the next step rather than following the steps to select domain controllers individually. See How to Create Groups in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=165736) for more information.

  8. Click Select and then click Object.

  9. Use the Object Search dialog box to locate all the domain controllers you want to monitor, select one and then click OK.

    Tip

    In the Object Search dialog box, you can set Look for to Windows Server to reduce the number of objects returned.

    Repeat this step as needed until you have all the domain controller computer accounts you want to monitor in the Run As accounts list, and then click Save.

  10. If on the Completion page, under More-secure Run As accounts, you see ADMP then click ADMP. Otherwise, click Close.

  11. If you clicked ADMP, then in the Run As Account Properties, in the Distribution tab, with More secure selected, click Add. Use the Computer Search dialog box to locate the domain controllers to which you want to distribute these credentials. When you locate the computers you want, click Add, then click OK twice and then click Close.

Security Monitoring

The Domain Administrator needs to know the Active Directory user authentication and account issues that occur between domain controllers, including the following:

  • Account password issues

  • Security Accounts Manager (SAM) failures

  • Requests that are not valid

  • NTLM errors

  • Key Distribution Center (KDC) errors

  • Account identifier issues

  • User credential issues

  • Account and group issues

  • Duplicate accounts and security identifiers (SIDs)