Service, User, and Security Accounts
During the setup and daily operation of Operations Manager, you will be asked to provide credentials for several accounts. This article provides information about each of these accounts, including the SDK and Config Service, Agent Installation, Data Warehouse Write, and Data Reader accounts.
If you use domain accounts and your domain Group Policy object (GPO) has the default password expiration policy set as required, you will either have to change the passwords on the service accounts according to the schedule, use system accounts, or configure the accounts so that the passwords never expire.
In System Center Operations Manager, management servers, gateway servers, and agents all execute a process called MonitoringHost.exe. MonitoringHost.exe is used to accomplish monitoring activities such as executing a monitor or running a task. Other example of actions MonitoringHost.exe performs include:
- Monitoring and collecting Windows event log data.
- Monitoring and collecting Windows performance counter data.
- Monitoring and collecting Windows Management Instrumentation (WMI) data.
- Running actions such as scripts or batches.
The account that a MonitoringHost.exe process runs as is called the action account. MonitoringHost.exe is the process that runs these actions by using the credentials that are specified in the action account. A new instance of MonitoringHost.exe is created for each account. The action account for the MonitoringHost.exe process running on an agent is called the Agent Action Account. The action account used by the MonitoringHost.exe process on a management server is called the Management Server Action account. The action account used by the MonitoringHost.exe process on a gateway server is called the Gateway Server Action Account. On all management servers in the management group, we recommend that you grant the account local administrative rights unless least-privileged access is required by your organizations IT security policy.
Unless an action has been associated with a Run As profile, the credentials that are used to perform the action will be those, you defined for the action account. For more information about Run As Accounts and Run As Profiles, see the section Run As Accounts. When an agent runs actions as either the default action account and/or Run As account(s), a new instance of MonitoringHost.exe is created for each account.
When you install Operations Manager, you have the option to specify a domain account or use LocalSystem. The more secure approach is to specify a domain account, which allows you to select a user with the least privileges necessary for your environment.
You can use a least-privileged account for the agent’s action account. On computers running Windows Server 2008 R2 or higher, the account must have the following minimum privileges:
- Member of the local Users group
- Member of the local Performance Monitor Users group
- Allow log on locally (SetInteractiveLogonRight) permission (not applicable for Operations Manager 2019).
The minimum privileges described above are the lowest privileges that Operations Manager supports for the action account. Other Run As accounts can have lower privileges. The actual privileges required for the Action account and the Run As accounts will depend upon which management packs are running on the computer and how they are configured. For more information about which specific privileges are required, see the appropriate management pack guide.
The domain account that is specified for the action account can be granted either Log on as a Service (SeServiceLogonRight) or Log on as Batch (SeBatchLogonRight) permission if your security policy does not allow a service account to be granted an interactive log on session, such as when smart card authentication is required. Modify the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System Center\Health Service:
The domain account that is specified for the action account is granted with Log on as a Service (SeServiceLogonRight) permission. To change the logon type for health service, modify the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System Center\Health Service:
- Name: Worker Process Logon Type
- Type: REG_DWORD
- Values (for Operations Manager 2016 to 1807): Four (4) - Log on as batch, Two (2) - Allow log on locally and Five (5) - Log on as Service. Default value is 2.
- Values for Operations Manger 2019 and later: Four (4) - Log on as Batch, Two (2) - Allow log on locally, and Five (5) - Log on as Service. Default value is 5.
You can centrally manage the setting using Group Policy by copying the ADMX file
healthservice.admx from a management server or agent-managed system located in the folder
C:\Windows\PolicyDefinitions and configuring the setting Monitoring Action Account Logon Type under the folder
Computer Configuration\Administrative Templates\System Center - Operations Manager. For more information working with Group Policy ADMX files, see Managing Group Policy ADMX files.
System Center Configuration Service and System Center Data Access Service account
The System Center Configuration service and System Center Data Access service account is used by the System Center Data Access and System Center Management Configuration services to update information in the Operational database. The credentials used for the action account will be assigned to the sdk_user role in the Operational database.
The account should be either a Domain User or LocalSystem. The account used for the SDK and Config Service account should be granted local administrative rights on all management servers in the management group. The use of Local User account is not supported. For increased security, we recommended you use a domain user account and it's a different account from the one used for the Management Server Action Account. LocalSystem account is the highest privilege account on a Windows computer, even higher than local Administrator. When a service runs under the context of LocalSystem, the service has full control of the computer’s local resources, and the identity of the computer is leveraged when authenticating to and accessing remote resources. Using LocalSystem account is a security risk because it doesn’t honor the principal of least privilege. Because of the rights required on the SQL Server instance hosting the Operations Manager database, a domain account with least privilege permissions is necessary to avoid any security risk if the management server in the management group is compromised. The reasons why are:
- LocalSystem has no password
- It does not have its own profile
- It has extensive privileges on the local computer
- It presents the computer’s credentials to remote computers
If the Operations Manager database is installed on a computer separate from the management server and LocalSystem is selected for the Data Access and Configuration service account, the computer account for the management server computer is assigned the sdk_user role on the Operations Manager database computer.
For more information, see about LocalSystem
Data Warehouse Write account
The Data Warehouse Write account is the account used to write data from the management server to the Reporting data warehouse, and it reads data from the Operations Manager database. The following table describes the roles and membership assigned to the domain user account during setup.
|Microsoft SQL Server||OperationsManager||db_datareader|
|Microsoft SQL Server||OperationsManager||dwsync_user|
|Microsoft SQL Server||OperationsManagerDW||OpsMgrWriter|
|Microsoft SQL Server||OperationsManagerDW||db_owner|
|Operations Manager||User role||Operations Manager Report Security Administrators|
|Operations Manager||Run As account||Data Warehouse Action account|
|Operations Manager||Run As account||Data Warehouse Configuration Synchronization Reader account|
Data Reader account
The Data Reader account is used to deploy reports, define what user the SQL Server Reporting Services uses to execute queries against the Reporting data warehouse, and define the SQL Reporting Services account to connect to the management server. This domain user account is added to the Report Administrator User Profile. The following table describes the roles and membership assigned to the account during setup.
|Microsoft SQL Server||Reporting Services Installation instance||Report Server Execution account|
|Microsoft SQL Server||OperationsManagerDW||OpsMgrReader|
|Operations Manager||User role||Operations Manager Report Operators|
|Operations Manager||User role||Operations Manager Report Security Administrators|
|Operations Manager||Run As account||Data Warehouse Report Deployment account|
|Windows service||SQL Server Reporting Services||Logon account|
Verify the account you plan to use for the Data Reader account is granted the Log on as Service (for 2019 and later) or Log on as Service and Allow Log on Locally (for earlier release), right for each management server, and the SQL Server hosting the Reporting Server role.
Agent Installation account
When performing discovery-based agent deployment, an account is required with Administrator privileges on the computers targeted for agent installation. The management server action account is the default account for agent installation. If the management server action account does not have administrator rights, the operator must provide a user account and password with administrative rights on the target computers. This account is encrypted before being used and then discarded.
Notification Action account
The Notification Action account is the account used for creating and sending notifications. These credentials must have sufficient rights for the SMTP server, instant messaging server, or the SIP server that is used for notifications.