為執行身分帳戶啟用服務登入Enable Service Log on for run as accounts

最佳安全性做法舊是停用服務帳戶的互動式和遠端互動式工作階段。Security best practice is to disable interactive and remote interactive sessions for service accounts. 跨組織的安全性小組有嚴格的控制項可強制執行此最佳做法,以防止認證竊取和相關攻擊。Security teams, across organizations have strict controls to enforce this best practice to prevent credential theft and associated attacks.

System Center 2019 - Operations Manager 支援服務帳戶的強化,而且不需要對支援 Operations Manager 所需的數個帳戶授與「允許本機登入」 使用者權限。System Center 2019 - Operations Manager supports hardening of service accounts and does not require granting the Allow log on locally user right for several accounts, required in support of Operations Manager.

舊版 Operations Manager 是以「允許本機登入」 作為預設登入類型。Earlier version of Operations Managers has Allow log on locally as the default log on type. Operations Manager 2019 會依預設使用「服務登入」 。Operations Manager 2019 uses Service Log on by default. 這會導致下列變更:This leads to the following changes:

  • 依預設,健全狀況服務會使用登入類型 [服務] 。Health service uses log on type Service by default. Operations Manager 1807 和更早版本,其為 [互動式] 。Operations Manager 1807 and earlier versions, it was Interactive.
  • Operations Manager 動作帳戶和服務帳戶現在都具有「以服務方式登入」 權限。Operations Manager action accounts and service accounts now have Log on as a Service permission.
  • 動作帳戶和執行身分帳戶都必須具有「以服務方式登入」 權限,才能執行 MonitoringHost.exe。Action accounts and Run As accounts must have Log on as a Service permission to execute MonitoringHost.exe. 進一步瞭解Learn more.

Operations Manager 動作帳戶的變更Changes to Operations Manager action accounts

在 Operations Manager 2019 安裝期間,以及在從舊版升級期間,下列帳戶已獲取 [以服務方式登入] 權限:The following accounts are granted Log on as a Service permission during the Operations Manager 2019 installation, and during upgrade from previous versions:

  • 管理伺服器動作帳戶Management Server Action account

  • System Center 設定服務和 System Center 資料存取服務帳戶System Center configuration service and System Center data access service accounts

  • 代理程式動作帳戶Agent action account

  • 資料倉儲寫入帳戶Data Warehouse Write account

  • 資料讀取器帳戶Data Reader account

    本機安全性設定

在這項變更之後,管理組件 (MP) 的 Operations Manager 系統管理員所建立的任何 [執行身分帳戶] 都需要 [以服務方式登入] 權限 (系統管理員應授與該權限)。After this change, any Run As accounts created by Operations Manager administrators for the management packs (MPs) require the Log on as a Service right, which administrators should grant.

檢視管理伺服器和代理程式的登入類型View log on type for management servers and agents

您可以從 Operations Manager 主控台檢視管理伺服器和代理程式的登入類型。You can view the log on type for management servers and agents from the Operations Manager console.

若要檢視管理伺服器的登入類型,請前往 [管理] > [Operations Manager 產品] > [管理伺服器] 。To view the log on type for management servers, go to Administration > Operations Manager Products> Management servers.

管理伺服器的登入類型

若要檢視代理程式的登入類型,請前往 [管理] > [Operations Manager 產品] > [代理程式] 。To view the log on type for agents, go to Administration > Operations Manager Products> Agents.

管理伺服器的登入類型

注意

尚未升級的代理程式/閘道會在主控台中將 [登入類型] 顯示為「服務」 。Agent/gateway that is not yet upgraded, display Log on type as Service in console . 升級代理程式/閘道後,就會顯示目前的登入類型。Once the agent/gateway is upgraded, the current log on type will be displayed.

為執行身分帳戶啟用服務登入權限Enable service log on permission for Run As accounts

請執行下列步驟:Follow these steps:

  1. 使用系統管理員權限登入您要將 [以服務方式登入] 權限提供給「執行身分帳戶」的電腦。Sign in with administrator privileges to the computer from which you want to provide Log on as Service permission to a Run As accounts.

  2. 移至 [系統管理工具] ,然後按一下 [本機安全性原則] 。Go to Administrative Tools and click Local Security Policy.

  3. 展開 [本機原則] ,然後按一下 [使用者權限指派] 。Expand Local Policy and click User Rights Assignment.

  4. 在右窗格的 [以服務方式登入] 上按一下滑鼠右鍵,然後選取 [屬性] 。In the right pane, right-click Log on as a service and select Properties.

  5. 按一下 [新增使用者或群組] 選項來新增使用者。Click Add User or Group option to add the new user.

  6. 在 [選取使用者或群組] 對話方塊中,尋找您要新增的使用者,然後按一下 [確定] 。In the Select Users or Groups dialogue, find the user you wish to add and click OK.

  7. 在 [以服務方式登入屬性] 中按一下 [確定],以儲存變更。Click OK in the Log on as a service Properties to save the changes.

    選取使用者

注意

如果您要從先前的版本升級到 Operations Manager 2019,或安裝新的 Operations Manager 2019 環境,請遵循上述步驟將 [以服務方式登入] 權限提供給「執行身分帳戶」。If you are upgrading to Operations Manager 2019 from a previous version or installing a new Operations Manager 2019 environment, follow the steps above to provide Log on as a service permission to Run As accounts.

變更健全狀況服務的登入類型Change log on type for a health service

如果您需要將 Operations Manager 健全狀況服務的登入類型變更為「允許本機登入」 ,請使用 [本機安全性原則] 主控台在本機裝置上設定安全性原則設定。If you need to change the log on type of Operations Manager health service to Allow log on locally, configure the security policy setting on the local device using the Local Security Policy console.

範例如下:Here is an example:

監視動作帳戶登入類型

與 Operations Manager 2016 代理程式共存Coexistence with Operations Manager 2016 agent

隨著 Operations Manager 2019 引進登入類型變更,Operations Manager 2016 代理程式可以共存並交互操作,而不會發生任何問題。With the log on type change that is introduced in Operations Manager 2019, the Operations Manager 2016 agent can coexist and interoperate without any issues. 不過,有數個受到這項變更影像的案例:However, there are a couple of scenarios that are affected by this change:

  • 從 Operations Manager 主控台推送安裝代理程式時,需要具有系統管理權限的帳戶以及目的地電腦的 [以服務方式登入] 權限。Push install of agent from the Operations Manager console requires an account that has administrative privileges and the Log on as a service right on the destination computer.
  • Operations Manager 管理伺服器動作帳戶需要管理伺服器的系統管理權限,以供監視 Service Manager。Operations Manager Management Server action account requires administrative privileges on management servers for monitoring Service Manager.

疑難排解Troubleshooting

如有任何「執行身分帳戶」具備所需的 [以服務方式登入] 權限,則會出現以監視器為基礎的重大警示。If any of the Run as accounts do have the required Log on as a Service permission, a critical monitor-based alert appears. 此警示會顯示「執行身分帳戶」的詳細資料,該帳戶沒有 [以服務方式登入] 權限。This alert displays the details of the Run As account, which does not have Log on as a Service permission.

警示屬性

在代理程式電腦上,開啟 [事件檢視器]。On the agent computer, open Event Viewer. 在 Operations Manager 記錄中搜尋事件識別碼 7002,以檢視需要 [以服務方式登入] 權限的「執行身分帳戶」相關詳細資料。In the Operations Manager log, search for the event ID 7002 to view the details about the Run As accounts that require Log on as a Service permission.

參數Parameter 訊息Message
警示名稱Alert Name 「執行身分帳戶」沒有要求的登入類型。Run As account does not have requested log on type.
警示描述Alert Description 「執行身分帳戶」必須有要求的登入類型。The Run As account must have the requested log on type.
警示內容Alert Context 健全狀況服務無法登入,因為管理群組 (群組名稱) 的「執行身分帳戶」尚未取得 [以服務方式登入] 權限。Health Service could not log on, as the Run As account for management group (group name) has not been granted the Log on as a service permission.
監視Monitor (新增監視名稱)(add monitor name)

將 [以服務方式登入] 權限提供給「執行身分帳戶」,這些帳戶會在事件 7002 中識別。Provide Log on as a Service permission to the applicable Run As accounts, which are identified in the event 7002. 一旦您提供權限,事件識別碼 7028 隨即出現,而監視器的狀態會變更為狀況良好。Once you provide the permission, event ID 7028 appears and the monitor changes to healthy state.

事件數目