During the installation of MOM 2005, you established an Action Account. Unfortunately, you were too busy being excited about what was cool about MOM 2005 to be paying attention to something as petty as security. Now that it's set, you're not sure what it does or what security it actually requires. In fact, you're not even sure where to change the account MOM uses. Being the imperturbable administrator, you simply panic.
In all seriousness, the Action Account has various functions, many very integral to some of the tasks MOM 2005 performs. In this age of IT, a focus on security can be tantamount to the completion of the project. Take some time to read through some of the benefits of Action Account and how best to implement it in your environment.
Benefits of an Action Account:
- Runs computer discovery and tasks issued from the MOM console.
- Performs agent push-installations (similar to SMS 2003 Client Push Installation account).
- Executes uninstallations and settings updates for agent-managed computers.
- Runs responses and scripts on agent-managed computers (including the Management Server).
- Manages actions on agentless and agent-managed computers.
- Collects data from agentless and agent-managed computers.
- Communicates with agentless and agent-managed computers.
To perform some of the tasks listed above, the Action Account will need administrative privileges to MOM agents. Any agent running Windows 2003 can use a combination of a low-rights domain account with special privileges (aside from general push installations, which can be done through other methods). You can even use different Action Accounts for each agent; however, this may be a daunting task to maintain properly. More details on the exact permissions required for the Action Account on the management server, as well as MOM agents, can be found in the MOM 2005 Security Guide.
Administering the Action Account:
There are two ways you can administer the Action Account after it has been established during installation. The first is inside the MOM 2005 Administrator Console under Administration / Computers / Agent-managed Computers. If you're interested in establishing per agent Action Accounts, this is where to do it. (Keep in mind that while you can change the Action Accounts on agent-managed computers through this method, the Management Server Action Account must be administered through the second method.)
- Navigate to Agent-managed computers.
- Highlight the agents (some or all) for which you will be changing the Action Account.
- Right-click on the highlighted selection. Choose All Tasks > Update Agent Settings.
- Specify to use the default Management Server Action Account or specify an Action Account specific for the agent (or group of agents).
The second method is through the SetActionAccount.exe tool located under %Program Files\%Microsoft Operations Manager 2005 directory. This is a command-line tool that only accepts two switches -- making it very easy to use. Running either command requires prefacing the command switch with the Configuration Group name. All changes to the MOM Action Account, must be followed by a restart of the MOM service on the Management Server for changes to become effective. Usage, example and output listed respectively:
SetActionAccount.exe [Configuration Group Name] -query
Issuing this command returns the current account information.
Ex: SetAcctionAccount.exe MOM2005POC -query
Providers and responses run as MOMDomain\MyMOMActionAccount
SetActionAccount.exe [Configuration Group Name] -set
Issuing this command starts a password dialog which will reset the Action Account on completion.
Ex: SetActionAccount.exe MOM2005POC -set
(notice no backslash between domain and username)
Enter password : (input text is hidden)
Re-enter password : (input text is hidden)
Action account set.
For more information:
MOM 2005 Security Guide -- online documentation
http://www.microsoft.com/technet/prodtechnol/mom/mom2005/secguide.mspx MOM 2005 Security Guide -- document download
ABOUT THE AUTHOR: Marcus Oh works for Cox Communications, Inc. in Alpharetta, GA., deploying MOM for 250+ servers, rolling out SMS 2003 and Windows 2003, and supporting the company's directory services infrastructure.
This article first appeared in myITforum, the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems. The centerpiece of myITforum.com is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget network of Web sites. To register for the site and sign up for the myITforum daily newsletter, click here.
This was first published in September 2004