locked
Mapping Run as Account to Profiles created by Imported Management Packs RRS feed

  • Question

  • Hello,

    I have set up a new single management server. I have already set a default action account, for e.g; world\abc. This account was used to install scom as well. This account is part of Domain Admins group.

    Now after importing some few management packs, I see that new profiles are created in Run as Configuration - Profiles section.

    After importing Virtual Machine Manager Management Pack. I see that a new profile is created. This profile doesnt have any account mapped.

    My Question: If I do not map any account to the profiles created after importing a management pack, will it BY DEFAULT pick up DEFAULT ACTION ACCOUNT? OR Should I create a separate account for each profile that will be used to perform operations set by the Management Pack?

    Thanks,

    Rajiv

    Friday, March 8, 2019 1:32 PM

Answers

  • Hello Rajiv,

    If a Run As profile is not assigned to a particular action, it will be carried out under the Default Action account.

    As for System Center Virtual Machine Manager (SCVMM) it requires an account that is a member of the Operations Manager Administrator role.

    You can for example create an own account for it, or use the SCVMM service account, you can if you like (up to you) use different accounts for each operation, although I think most only choose to use only one account.


    You'll find more information below:

    Integrate VMM with Operations Manager for monitoring and reporting
    https://docs.microsoft.com/en-us/system-center/vmm/monitors-ops-manager?view=sc-vmm-1807


    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Marked as answer by Rajiv IR Wednesday, March 13, 2019 12:49 PM
    Friday, March 8, 2019 1:57 PM

All replies

  • Hello Rajiv,

    If a Run As profile is not assigned to a particular action, it will be carried out under the Default Action account.

    As for System Center Virtual Machine Manager (SCVMM) it requires an account that is a member of the Operations Manager Administrator role.

    You can for example create an own account for it, or use the SCVMM service account, you can if you like (up to you) use different accounts for each operation, although I think most only choose to use only one account.


    You'll find more information below:

    Integrate VMM with Operations Manager for monitoring and reporting
    https://docs.microsoft.com/en-us/system-center/vmm/monitors-ops-manager?view=sc-vmm-1807


    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Marked as answer by Rajiv IR Wednesday, March 13, 2019 12:49 PM
    Friday, March 8, 2019 1:57 PM
  • Hi Rajiv,

    let me try to clarify this.

    "My Question: If I do not map any account to the profiles created after importing a management pack, will it BY DEFAULT pick up DEFAULT ACTION ACCOUNT?"

    The answer is:  It depends on each individual management pack and each individual profile. Some of the management packs are developed in a way that if you don't configure a run as account and map it to the profile, the default agent account will be used to run workflows (example SQL MP).

    "OR Should I create a separate account for each profile that will be used to perform operations set by the Management Pack?"

    You will need to study the Management Pack guide of each management pack in order to understand what the profile is used for and which workflows it is running. There are many different management packs and each of them has its own logic.

    A few additional comments: I would not recommend making the default agent action account a Domain Admin. It is too much and is a potential security risk...It need to have local administrative privileges on the systems you are monitoring. I often dedicate Local System as the account, under which the Agent is running. Wherever this is not possible you can still work with domain accounts, 

    If you mean the Default Management Server Action Account - it also does not need to be domain admin. There are predefined permissions that need to be set, but Domain Admin is not a requirements.

    Hope I was able to help. Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Friday, March 8, 2019 1:59 PM