Thanks for the information Kevin.
On Mon, Jan 11, 2016 at 11:34 AM, Kevin Holman <[email protected]> wrote: > No. Not saying that. > > > > I’m saying you should probably research the different types of accounts > and where they are used in the documentation a little better – to make sure > any changes you make don’t cause an outage in the future. > > > > The existence of accounts under the “action account” type in the console > is largely meaningless. Those are simply the existence of a credential. > What matters is – where is the credential used – what profiles is it > associated with. > > > > On a fairly generic deployment – there will be two accounts listed here – > one is “local system” and the other will be the Management Server Action > Account (MSAA). Ignore the description – it is generic. > > > > The local system action account is typically used as the default agent > action account for agents. The management server action account could be > associated with a wide ranging number of profiles, depending on who set up > the infrastructure and what their security intentions were. > > > > If you inherited the system, you should get an understanding of the > accounts present, and document what profiles they are assigned/associated > with, and why. That will help you understand how they are used and if they > are being used according to best practices. > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Damien Redhead > *Sent:* Monday, January 11, 2016 10:23 AM > *To:* [email protected] > *Subject:* Re: [msmom] Changing default run as account > > > > Hi Kevin, > > > > Thanks for the response. There are two accounts under the Action Account. > One is the Local System Action Account which has the description: Built in > SYSTEM account to be used as an action account. > > > > The second account is the one that we updated the password this weekend > and it has the description of: This is the user account under which all > rules run by default on the agent. This account was there when I inherited > the system. Am I correct in understanding you when you say this account is > not necessary and should be removed? > > > > > > On Mon, Jan 11, 2016 at 11:09 AM, Kevin Holman <[email protected]> > wrote: > > Responses below: > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Damien Redhead > *Sent:* Monday, January 11, 2016 9:56 AM > *To:* [email protected] > *Subject:* [msmom] Changing default run as account > > > > Good morning folks. > > > > As we all know the default run as account is a powerful account that has > access to all systems reporting to SCOM. > > *[KH] That is not true and not necessarily a best practice.* > > *In fact – you need to be more clear. There is no “default runas account” > really.* > > > > *There is the Management Server Action account which is designed to run > responses and workflows ON the management servers.* > > *There is the “Default Agent Action Account” which should generally be > local system.* > > > > *There are NO accounts which “have access to all systems reporting to > SCOM”. This is something each organization chooses to set up. In order to > PUSH the agent from SCOM management servers, SOME customers might configure > the MSAA to have local admin rights on all systems to ease this > administrative burden, but that is certainly not a default nor would I > recommend that course of action. You never see it in a highly secured > customer environment either.* > > > > > > We changed ours this weekend with no ill effects which allows me to think > that I can have this password changed automatically once a month. > > > > I'm wondering if there is a mechanism out there that could update the > password in SCOM itself instead of having a manual task to go in and update > it? > > > > *[KH] It would help to know specifically what account you are talking > about. As far as changing passwords – you can change any password for any > RunAs account used in SCOM. * > > > > *For using the SDK to automate updating a credential: > https://technet.microsoft.com/library/hh918477.aspx > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftechnet.microsoft.com%2flibrary%2fhh918477.aspx&data=01%7c01%7ckevin.holman%40microsoft.com%7c8bfd9ed910d54cc2b23708d31aa3e212%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=FuT6WmxZpuAB55zju0fBy%2bM%2frSzT53krB%2bmNILKb73I%3d>* > > > > > > > > > > -- > > Damien Redhead > > EDC Application Analyst > > > > -- Damien Redhead EDC Application Analyst
