locked
Question about the newly released SCOM CORE MP RRS feed

  • Question

  • I am reading the document on the latest SCOM Core MP and there's a number of configuration steps.

    On Page 17 of the install guide, it says to make sure the Action account on the RMS is a member of the Ops Manager Admins group.

    Can someone help me understand what they mean?  Can there be more than one action account? Should the action account we use for all our discoveries be elevated in SCOM so that it's a SCOM Admin?

    Thanks,

    Jack


    Jack
    Wednesday, December 8, 2010 4:15 PM

Answers

  • Action account is a per-MP concept.  SCOM provides several in the core MP, and these are used for different operations.  The ones that write to the core db and data warehouse need the right permissions.

    Another one, called the default action account - is a placeholder for general purpose MP work that requires local host access.  It defaults, unless changed during setup, to the account named "local system".  This is a reasonable default for most MP actions.

    Some MP's will define new run-as-profiles because they need special permissions to access the product being monitored.   SQL for instance, has run-as profiles.  These will need to be set up for DBO permissions on each DB instance for the MP to work right.

    By default, run-as-profiles map to the default action account = until they are re-mapped to a different account. 

    The default default, aka localsystem, never has permission to do anythign over a network.  So other MP's that need to enable remote monitoring will also need to have run-as profiles defined - otherwise the end customer has to go into a place where the default won't work for remote monitoring (e.g. agentless monitoring).

     


    Microsoft Corporation
    • Marked as answer by basementjack Wednesday, December 8, 2010 6:36 PM
    Wednesday, December 8, 2010 4:47 PM

All replies

  • Action account is a per-MP concept.  SCOM provides several in the core MP, and these are used for different operations.  The ones that write to the core db and data warehouse need the right permissions.

    Another one, called the default action account - is a placeholder for general purpose MP work that requires local host access.  It defaults, unless changed during setup, to the account named "local system".  This is a reasonable default for most MP actions.

    Some MP's will define new run-as-profiles because they need special permissions to access the product being monitored.   SQL for instance, has run-as profiles.  These will need to be set up for DBO permissions on each DB instance for the MP to work right.

    By default, run-as-profiles map to the default action account = until they are re-mapped to a different account. 

    The default default, aka localsystem, never has permission to do anythign over a network.  So other MP's that need to enable remote monitoring will also need to have run-as profiles defined - otherwise the end customer has to go into a place where the default won't work for remote monitoring (e.g. agentless monitoring).

     


    Microsoft Corporation
    • Marked as answer by basementjack Wednesday, December 8, 2010 6:36 PM
    Wednesday, December 8, 2010 4:47 PM
  • Thanks Dan that helps!
    Jack
    Wednesday, December 8, 2010 6:36 PM