none
SCOM Account Permissions RRS feed

  • Question

  • Hello,

    I am looking for a bit of confirmation, looking at the deployment guide for SCOM, it states the action account must have as a minimum:

      • Member of the local Users group
      • Member of the local Performance Monitor Users group
    • “Allow log on locally” (SetInteractiveLogonRight) permission

    the following paragraph then says:

    The domain account specified for the action account can be granted either Log on as a Service (SeServiceLogonRight) or Log on as Batch (SeBatchLogonRight) permission if your security policy does not allow a service account to be granted an interactive log on session, such as when smart card authentication is required

    My question is does the second paragraph negate the need for the "Allow Log on Locally" right required or is it referring to interactive log on sessions on only i.e. where smart cards are required? My initial thoughts are that the action account with only Log on as a service or log on as batch wouldn't suffice?

    Thanks in advance

    Andy

    Thursday, February 7, 2019 10:47 AM

Answers

  • >>My question is does the second paragraph negate the need for the "Allow Log on Locally" right required or is it referring to interactive log on sessions on only i.e. where smart cards are required?

    The domain account specified for the action account can be granted either Log on as a Service (SeServiceLogonRight) or Log on as Batch (SeBatchLogonRight) permission if your security policy does not allow a service account to be granted an interactive log on session, such as when smart card authentication is required. Modify the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System Center\Health Service:

    Name: Worker Process Logon Type
    Type: REG_DWORD
    Value: 4 means Log on as Batch and 5 means for Log on as Service. The default is 2, Allow log on locally.

    If your action account logon type is restricted to log on as batch or Log on as Service. You should grant this action account as Log on as a Service (SeServiceLogonRight) or Log on as Batch (SeBatchLogonRight) permission. there is no need to grant "allow log on locally" on this action account.

    Roger

    Friday, February 8, 2019 6:46 AM

All replies

  • SCOM action account require "Allow Log on Locally"

    RajKumar

    Thursday, February 7, 2019 2:58 PM
  • >>My question is does the second paragraph negate the need for the "Allow Log on Locally" right required or is it referring to interactive log on sessions on only i.e. where smart cards are required?

    The domain account specified for the action account can be granted either Log on as a Service (SeServiceLogonRight) or Log on as Batch (SeBatchLogonRight) permission if your security policy does not allow a service account to be granted an interactive log on session, such as when smart card authentication is required. Modify the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System Center\Health Service:

    Name: Worker Process Logon Type
    Type: REG_DWORD
    Value: 4 means Log on as Batch and 5 means for Log on as Service. The default is 2, Allow log on locally.

    If your action account logon type is restricted to log on as batch or Log on as Service. You should grant this action account as Log on as a Service (SeServiceLogonRight) or Log on as Batch (SeBatchLogonRight) permission. there is no need to grant "allow log on locally" on this action account.

    Roger

    Friday, February 8, 2019 6:46 AM
  • Hi Roger,

    I have checked for the key you provided and it does not exist, I am on the SCOM Management Server and we are running Windows Server 2016 with SCOM 2016. this being the case would I need to fight the case for the allow log on localy right with my security team? I assume I cannot just create that path?

    Thanks in advance

    Andy

    Tuesday, February 12, 2019 10:31 AM
  • Hi There,

    You need to update this value on agent server not on the MS.

    If you have not found this value on agent server then please check 

    either you have agent installed on server or this is reporting to SCOM.

    Again I suppose you need to fight with either windows team or security team. The best answer for this, One who have admin access on sever and can play with Regedit.exe would be the best to approach.

    Hope this helps :)


    Cheers, Gourav Please remember to mark the replies as answers if it helped.


    • Proposed as answer by GouravIN Tuesday, February 12, 2019 5:03 PM
    • Edited by GouravIN Thursday, February 21, 2019 12:32 PM
    Tuesday, February 12, 2019 5:03 PM
  • what permission of your security allows to grant the action account on the agent machine?
    1. Logon locally
    2. Log on as Service.
    3. Log on as Batch

    If action account has one of above three options, this action account fullfill agent action account minimum privilege. otherwise, agent has issue on monitoring on this machine.

    Roger
    Wednesday, February 13, 2019 4:40 AM
  • Hi Andy,

    agree with Roger. Were you able to accomplish this?

    Really appreciate the feedback!

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Thursday, February 21, 2019 10:25 AM
    Moderator