Responses below: From: [email protected] [mailto:[email protected]] On Behalf Of Damien Redhead Sent: Monday, January 11, 2016 9:56 AM To: [email protected] Subject: [msmom] Changing default run as account
Good morning folks. As we all know the default run as account is a powerful account that has access to all systems reporting to SCOM. [KH] That is not true and not necessarily a best practice. In fact – you need to be more clear. There is no “default runas account” really. There is the Management Server Action account which is designed to run responses and workflows ON the management servers. There is the “Default Agent Action Account” which should generally be local system. There are NO accounts which “have access to all systems reporting to SCOM”. This is something each organization chooses to set up. In order to PUSH the agent from SCOM management servers, SOME customers might configure the MSAA to have local admin rights on all systems to ease this administrative burden, but that is certainly not a default nor would I recommend that course of action. You never see it in a highly secured customer environment either. We changed ours this weekend with no ill effects which allows me to think that I can have this password changed automatically once a month. I'm wondering if there is a mechanism out there that could update the password in SCOM itself instead of having a manual task to go in and update it? [KH] It would help to know specifically what account you are talking about. As far as changing passwords – you can change any password for any RunAs account used in SCOM. For using the SDK to automate updating a credential: https://technet.microsoft.com/library/hh918477.aspx
