Hi Kevin, Thanks for the response. There are two accounts under the Action Account. One is the Local System Action Account which has the description: Built in SYSTEM account to be used as an action account.
The second account is the one that we updated the password this weekend and it has the description of: This is the user account under which all rules run by default on the agent. This account was there when I inherited the system. Am I correct in understanding you when you say this account is not necessary and should be removed? On Mon, Jan 11, 2016 at 11:09 AM, Kevin Holman <[email protected]> wrote: > Responses below: > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Damien Redhead > *Sent:* Monday, January 11, 2016 9:56 AM > *To:* [email protected] > *Subject:* [msmom] Changing default run as account > > > > Good morning folks. > > > > As we all know the default run as account is a powerful account that has > access to all systems reporting to SCOM. > > *[KH] That is not true and not necessarily a best practice.* > > *In fact – you need to be more clear. There is no “default runas account” > really.* > > > > *There is the Management Server Action account which is designed to run > responses and workflows ON the management servers.* > > *There is the “Default Agent Action Account” which should generally be > local system.* > > > > *There are NO accounts which “have access to all systems reporting to > SCOM”. This is something each organization chooses to set up. In order to > PUSH the agent from SCOM management servers, SOME customers might configure > the MSAA to have local admin rights on all systems to ease this > administrative burden, but that is certainly not a default nor would I > recommend that course of action. You never see it in a highly secured > customer environment either.* > > > > > > We changed ours this weekend with no ill effects which allows me to think > that I can have this password changed automatically once a month. > > > > I'm wondering if there is a mechanism out there that could update the > password in SCOM itself instead of having a manual task to go in and update > it? > > > > *[KH] It would help to know specifically what account you are talking > about. As far as changing passwords – you can change any password for any > RunAs account used in SCOM. * > > > > *For using the SDK to automate updating a credential: > https://technet.microsoft.com/library/hh918477.aspx > <https://technet.microsoft.com/library/hh918477.aspx>* > > > > -- Damien Redhead EDC Application Analyst
