Most management packs have to perform an initial discovery to first determine if the product that the MP services is present on a given computer. These initial discoveries are sometimes called "Seed" discoveries and are most
often light weight registry key based discoveries.
A problem can arise with customer sites if you associate run-as profiles with discoveries that are your initial seed discoveries. Seed discoveries need to be able to be run on every computer and should not require elevated
or special permissions. Since run-as profiles are the means by which you give your customers control over the credentials to use for your monitoring (to run sensitive monitoring in highly secured environments, for instance), if you inadvertently apply a run-as
profile to every workflow defined in your management pack, then customers can have a painfully difficult experience when they try to get the management pack to work.
The challenge comes with the way that run-as account distribution functions. There are two scenarios where run-as profile behavior becomes a point of "how does it work" focus. These are:
The problem arises if the customer chooses "more secure" for the run-as account distribution. In the more secure mode, the cusotmer must name all of the servers that are to be allowed access to the run-as account credentials.
So how does this impact your mp? Well, let's assume the cusotmer is security conscioius, creates run-as accounts for your MP's run as profiles, and thinks they are done. You made one small mistake and your seed discoveries that
are supposed to execute on every server have been assigned the run-as profile. In this case, if the customer has not defined every computer in their environment (or scope) to be allowed to get the run-as profile, each computer that is not permiited generates
Since for a given MP, the % of computers in the environmen that actually have the product being monitored is a % of the total environment (usually), this means that after importing the MP and configuring it, some % of their computers
(often a majority) start generating errors and alerts that trace back to the mangement pack's technology in the customers minds. Since those computers aren't associated with the product, customers ask "why does the SQL server pool complain that they can't
run the workflows for Exchange? (hypothetical example with names changed to protect the unfortunate).
So, lesson learned - NEVER associate a run as profile unless you know you need to - and avoid having run-as profiles on your seed discoveries that the rest of your product MP bootstraps from.