No. Not saying that. I’m saying you should probably research the different types of accounts and where they are used in the documentation a little better – to make sure any changes you make don’t cause an outage in the future.
The existence of accounts under the “action account” type in the console is largely meaningless. Those are simply the existence of a credential. What matters is – where is the credential used – what profiles is it associated with. On a fairly generic deployment – there will be two accounts listed here – one is “local system” and the other will be the Management Server Action Account (MSAA). Ignore the description – it is generic. The local system action account is typically used as the default agent action account for agents. The management server action account could be associated with a wide ranging number of profiles, depending on who set up the infrastructure and what their security intentions were. If you inherited the system, you should get an understanding of the accounts present, and document what profiles they are assigned/associated with, and why. That will help you understand how they are used and if they are being used according to best practices. From: [email protected] [mailto:[email protected]] On Behalf Of Damien Redhead Sent: Monday, January 11, 2016 10:23 AM To: [email protected] Subject: Re: [msmom] Changing default run as account Hi Kevin, Thanks for the response. There are two accounts under the Action Account. One is the Local System Action Account which has the description: Built in SYSTEM account to be used as an action account. The second account is the one that we updated the password this weekend and it has the description of: This is the user account under which all rules run by default on the agent. This account was there when I inherited the system. Am I correct in understanding you when you say this account is not necessary and should be removed? On Mon, Jan 11, 2016 at 11:09 AM, Kevin Holman <[email protected]<mailto:[email protected]>> wrote: Responses below: From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Damien Redhead Sent: Monday, January 11, 2016 9:56 AM To: [email protected]<mailto:[email protected]> Subject: [msmom] Changing default run as account Good morning folks. As we all know the default run as account is a powerful account that has access to all systems reporting to SCOM. [KH] That is not true and not necessarily a best practice. In fact – you need to be more clear. There is no “default runas account” really. There is the Management Server Action account which is designed to run responses and workflows ON the management servers. There is the “Default Agent Action Account” which should generally be local system. There are NO accounts which “have access to all systems reporting to SCOM”. This is something each organization chooses to set up. In order to PUSH the agent from SCOM management servers, SOME customers might configure the MSAA to have local admin rights on all systems to ease this administrative burden, but that is certainly not a default nor would I recommend that course of action. You never see it in a highly secured customer environment either. We changed ours this weekend with no ill effects which allows me to think that I can have this password changed automatically once a month. I'm wondering if there is a mechanism out there that could update the password in SCOM itself instead of having a manual task to go in and update it? [KH] It would help to know specifically what account you are talking about. As far as changing passwords – you can change any password for any RunAs account used in SCOM. For using the SDK to automate updating a credential: https://technet.microsoft.com/library/hh918477.aspx<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftechnet.microsoft.com%2flibrary%2fhh918477.aspx&data=01%7c01%7ckevin.holman%40microsoft.com%7c8bfd9ed910d54cc2b23708d31aa3e212%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=FuT6WmxZpuAB55zju0fBy%2bM%2frSzT53krB%2bmNILKb73I%3d> -- Damien Redhead EDC Application Analyst
