Service-level changes

This article describes the service-level changes that are required to use group Managed Service Accounts (gMSAs) in System Center Operations Manager.

Note

This article applies to Operations Manager 2019 Update Rollup 1 (UR1) and later.

Change the service account for System Center Data Access Service to gMSA

To enable System Center Data Access Service to use gMSA:

  1. Add gMSA to the local Administrators group on the computer on which the management server is installed, as shown.

    Data access service

  2. Change the existing service account for System Center Data Access Service to gMSA from Windows Services Console, as shown.

    Log On As A Service right

Change the credentials for the System Center configuration service

Change the sign-in credentials for this service account from Windows Services Console, as shown.

Configuration service

Configuration properties

Validate that both the services are running with gMSA.

System Center Data Access Service

Change the service account for SQL Server Reporting Services to gMSA

You can change the data reader account in the following two ways.

From Windows Services Console

Change the existing service account for SQL Server Reporting Services to gMSA from Windows Services Console, as shown.

Change service account for SQL Server

Validate that SQL Server Reporting Services is running with gMSA.

SQL Server Reporting Services

From Reporting Services Configuration Manager

Reporting Services Configuration Manager

Select Service Credentials as Authentication Type, which is already specified as a gMSA earlier in Reporting Services Configuration Manager.

Report Server Database Configuration Wizard

Report Server Database

Note

SQL Server doesn't support gMSA for the SQL Server Reporting Services Execution account. Continue to use a non-gMSA account for this account.

Change the Data Warehouse Write account to use gMSA

Operations Manager stores the credentials for the Data Warehouse Write account within a Run As account, called the Data Warehouse Action account.

Change the credentials of this Action account to gMSA that you intend to use as a Data Warehouse Write account, which is a Windows account.

Data Warehouse Monitoring host

Validate that the MonitoringHost.exe uses the gMSA credentials for the Data Warehouse Write account.

Change the Data Warehouse Report Deployment account to use gMSA

Operations Manager stores the credentials for the Data Warehouse Report Deployment account within a Run As account, called the Data Warehouse Action account.

Change the credentials of this Action account to gMSA that you intend to use as a Data Warehouse Report Deployment account, which is a Windows account.

Data Warehouse Report Deployment

Validate that the MonitoringHost.exe uses the gMSA credentials for the Data Warehouse Write account.

Update your data warehouse database

  1. Run the following SQL query against your data warehouse database. Replace DataWarehouseName with the name of your data warehouse database.

    SELECT [ManagementGroupDefaultName],[WriterLoginName] FROM [DataWarehouseName].[dbo].[ManagementGroup]
    
    
  2. If the previous query doesn't return the gMSA that you created for the Data Warehouse Write account, then execute the following query to update it.

    UPDATE [DataWarehouseName].[dbo].[ManagementGroup] SET [WriterLoginName] = 'DOMAIN\USERNAME' WHERE [ManagementGroupDefaultName] = 'SCOM MANAGEMENT GROUP NAME'
    

Next steps

Console-level changes