Changing RunAs account in SCOM 2012R2
For SCOM 2007R2, we had SetActionAccount.ps1 to change the RunAs account for a group of servers (from the console, via OM shell). Does anyone have a way to change the RunAs account for a group of servers in 2012R2? I'm not smart enough to hack the SetActionAccount.ps1
for 2012R2.
"Fear disturbs your concentration"
Hi,
param ([string]$newActionAccountName)
$str=get-history | select-object -first 1
$str=$str.commandline | out-string
$start = $str.indexOf("-Id") + 4
$end = $str.indexOf(" ;", $start)
$length = $end - $start
$context = $str.substring($start, $length)
$Group = Get-SCOMGroup -id $context
$mg = Get-SCOMManagementGroup
$newActionAccount = Get-SCOMrunAsAccount -Name $newActionAccountName
$actionAccountRunAsProfile = $mg.GetMonitoringSecureReferenceForActionAccount()
if ($newActionAccount -eq $null -or $newActionAccount.Count -eq 0)
throw "Action Account '$newActionAccountName' was not found."
if ($newActionAccount.Count -gt 1)
throw "More than one action account was found with the same names as '$newActionAccountName'."
$ComputerGroup=$Group.GetRelatedMonitoringObjects().DisplayName
$healthServices=Get-SCOMClassInstance -Class (Get-SCOMClass -Name "Microsoft.SystemCenter.HealthService") | ? {$ComputerGroup -eq $_.displayname}
$secureDataHSRefs = $mg.GetMonitoringSecureDataHealthServiceReferenceBySecureReferenceId($actionAccountRunAsProfile.Id) |
where {$healthServices -contains $mg.GetPartialMonitoringObject($_.healthServiceId)}
foreach($secureDataHSRef in $secureDataHSRefs)
$healthService = $mg.GetMonitoringObject($secureDataHSRef.HealthServiceId)
$currentActionAccount = $mg.GetMonitoringSecureData($secureDataHSRef.MonitoringSecureDataId)
"Computer: '" + $healthService.DisplayName + "' ...changing action account" + "'`n From: '" + $currentActionAccount.Name + "'`n To : '" +
$newActionAccountName + "'"
$secureDataHSRef.MonitoringSecureDataId = $newActionAccount.Id
$secureDataHSRef.Update()
Similar Messages
-
I know there are plenty of threads on AD integration & Run As accounts\Profiles, but none quite answering my scenario...so here goes.
1 Forest containing 2 domains -
abc.com and
def.com.
abc.comcontains SCOM 2012 infrastructure (Mgmt Servers (MS1, MS2), Ops DB, Reporting DWDB).
abc.com
1. Created SCOM Admins
Global Security group
2. Created SCOM_MS_Action
domain user account (used during SCOM setup & also Local Admin on all
abc.com machines via Action Account AD group/GPO)
3. Ran MomADAdmin.exe DEV-OPSMGR12 "abc\SCOM Admins" abc\SCOM_MS_Action abc.com
(SCOM_MS_Action
added to SCOM Admins group as a result)
4. Created Auto Agent Assign
rule for abc.com
against MS1 for "servers", Run As Profile left as
default setting.
RESULT: All servers in abc.com
populated MS_PrimarySG_xxx
group as expected.
def.com
5. Created SCOM Admins
Global Security group
6. Created SCOM_AD_Assign
domain user account
7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
(SCOM_AD_Assign added to
SCOM Admins group as a result)
8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
Do I need to create this?
9. Set "def\SCOM_AD_Assign"
Run As account to "More Secure"
Is"More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
10. Created Run As Profile "def AD Agent Discovery" & assigned to
Default Management Pack
Do I need to create a new Run As Profile?
Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign
rule? I was under the impression never to use the Default MP?
11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
Run As Profile, targetting "All Objects"
Is this correct?
12. Created Auto Agent Assign
rule for def.com
against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
RESULT: def.com contains OperationsManagement\DEV-OPSMGR12
container but no MS_PrimarySG_xxx
group exists?
Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group,
Object?
Thanks in advance - I find these Run As accounts very confusing when it comes to multiple domains!OK, solved this one myself. To answer my own questions :) this is what needed to be done (whether it's entirely correct or not is up for debate, however I ended up with the result I was after, so I am happy for now):
def.com
5. Created SCOM Admins
Global Security group
6. Created SCOM_AD_Assign
domain user account
7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
(SCOM_AD_Assign added toSCOM Admins group as a result)
8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
Do I need to create this?
YES
9. Set "def\SCOM_AD_Assign"Run As account to
"More Secure"
Is "More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
YES, and added the Management Servers as "...the computers to which the credentials will be distributed"
10. Created Run As Profile "def AD Agent Discovery" & assigned to
Default Management Pack
Do I need to create a new Run As Profile?
YES
Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign rule? I was under the impression
never to use the Default MP?
Questionable, I did select the Default MP, otherwise the unsealed error occured when creating the Auto Agent Assign rule
11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
Run As Profile, targeting "All Objects"
Is this correct?
NO, instead I targeted the Class "AD Assignment Resource Pool"
12. Created Auto Agent Assign
rule for def.com
against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group, Object?
NO, otherwise alerts appear in regards to abc.com discovery rules breaking. Looks like for additional domains this rule should not be touched.
RESULT: All servers in def.com
populated MS_PrimarySG_xxx
group as expected
Note: Domain Controllers should not be included in the Auto Assign rules supposedly (makes sense) so I altered the query to ensure they didn't populate in the
MS_PrimarySG_xxx group:
(&(sAMAccountType=805306369)(objectCategory=computer)(objectClass=computer)(operatingSystem=*Server*)) (!(primaryGroupID=516))
(!(primaryGroupID=516)) equates to exclude DCs.
Hope this helps others
Steve -
Hi,
after reading many Posts and Blogs i came to the conclusion that it is still unclear to me what is needed to Monitor Active Directory successfully and what is the securest way configuring the RunAs or Action Account. I hope the experts here can make a clear
Statement to answer the question for all time ;-)
1. Action Account:
Here is described what permissions and rights are needed to use a low-privileged account:
https://technet.microsoft.com/en-us/library/hh212808.aspx
Now you might say: that was asked and answered so many times..you are right, but the answer was from run as "local System" to "you Need local admin". So also the AD MP documentation still says you Need a local Admin account.
here are other references which says you Need local admin rights:
http://micloud.azurewebsites.net//2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
Even Kevin Holman says here
https://social.technet.microsoft.com/Forums/systemcenter/en-US/2a0e5a2b-a3d9-42d4-8474-9f690007caa0/opsmgrlatency-cn-gets-auto-created-in-domain-not-configuration:
"Basically - if your domain controllers are running as local system default agent action account, in most cases you will not need to ever set up any replication monitoring run-as accounts.... as local system on a DC has all the rights necessary.
(in most cases).
"Simple questions: Is this really enought to Monitor every aspect of an ActiveDirectory Domain and Domain Controller using a low privilege account the the permissions in the article? Or is using local System better? Is there a difference when
using SCOM2012R2 with the new Agent? Most documentation referes to SCOM2007(except the replication Monitoring where it is clear that other permissions are needed:
http://blogs.technet.com/b/jimmyharper/archive/2009/05/20/configuring-or-disabling-replication-monitoring-in-the-active-directory-management-pack.aspx )The MP guide is not really clear about it. The only thing they are clear about is whenever you want to use client monitoring. In those situations low privileged will not work.
For each of the client-side monitoring scripts to run successfully, the
Action Account must be a member of the Administrators group on both the computer
on which the client management pack is running and the domain controller that is being monitored. The
Action Account must also be a member of the
Operations Manager Administrators group, which is configured through the Operations console in so that all the scripts that are configured on the Root Management Server can run properly
Both a local system and domain admin are a risk. If someone loads a malicious management pack that makes changes to the AD services you are screwed. The local system has unrestricted access to local resources including domain services.
The only reason I don't want a domain admin account in SCOM is that you have an additional layer where the password potentially could be retrieved. That's not the case with a local system account. But the risks are the same.
See: https://msdn.microsoft.com/en-us/library/ms677973%28v=vs.85%29.aspx
But this not an answer to your question. :-) -
What rights does AD MP Run as account need on 2012R2 DC's?
Hi!
My AD-guy has installed new DC's running Windows server 2012R2, and now SCOM is having trouble monitoring AD, DNS and DHCP. I will now create an account to use in monitoring AD. My question is:
What rights does this Run as account need to successfully monitor 2012R2 DC's. In my environment use of Domain Admin is serverly restricted - do I really need domain admin rights to monitor an 2012R2.
I'm alos having touble using Local System with agents on 2012R2. Is there a restriction here? What rights should an action account have on 2012R2 servers? I get a lot of errors saying that teh agent need "rights to log on locally".
Any help apprecited.
Best regards Rune HaugenHi Rune,
Please look at these posts:
http://adinermie.wordpress.com/2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
http://blogs.technet.com/b/kevinholman/archive/2009/02/20/getting-and-keeping-the-scom-agent-on-a-domain-controller-how-do-you-do-it.aspx
As well, check this post in case if your agents are installed manually:
http://social.technet.microsoft.com/Forums/systemcenter/en-US/5a64e774-3f14-4ecc-93ea-f36db59a4b07/adding-the-active-directory-helper-object-oomads-to-dc-servers?forum=operationsmanagerauthoring
Natalya -
Changing the password of scom services account.
hello experts,
I have installed Single SCOM Management Server with following services accounts , all the Domain Users account :
Action Account
Data Access Service
Data Reader
Data Ware Write Service
also monitoring some of Computers.
But now I have to change password of all these accounts from AD,then I wants to know :-
1. Where change the Password of these Services Account on SCOM Management server.
2.Are changing the passwords will effect the working of SCOM and monitoring of computer which are currently under monitoring of scom.1. Action account
http://technet.microsoft.com/en-us/library/hh456432.aspx
2. Data Access Service and Configuration Service account
http://technet.microsoft.com/en-us/library/hh456438.aspx
3. data Reader: reporting services configuration manager --> modify the following acouunts password , Report server service account , curent report server database credential, execution account
roger -
Running SAPF101 after changing reconciliation accounts
When I run SAPF101 after changing reconciliation accounts in Customer masters should see the following adjustments:
Cr old reconciliation account
Dr adjustment account
Cr adjustment account
Dr new reconciliation account
this then corrects the balances in the reconciliation accounts for the period end
and then reverses on the first working day of the next period.
Is my understanding correct?
what I am actually seeing is:
Cr adjustment account
Dr adjustment account
and reverse on the first working day of the next period
My posting results make the exercise meaningless.
Am I missing some config to complete this exercise in full?
Help would be appreciatedAfter going through this <a href="http://help.sap.com/erp2005_ehp_02/helpdata/en/96/8b335343ce11d189ee0000e81ddfac/frameset.htm">Documentation</a> I realize that your understanding is different from what is described. The recon account will not be invoked in the entry.
Since we cannot post to a recon account directly, the line items are posted to the adjustment acccount. So, only adjustment accounts will be involved.
Let's assume there ten line items in a customer account. If four line items have gone to original recon account and the remaining six line items have gone to new recon account. When you run this program, the line items of original recon account are posted to the adj account of both the recon accounts. The postings to the adj account of the original recon account will negate the effects of the original postings. Therefore both the adj account of the original recon account and the original recon account shall be grouped together, in the financial statements.
Similarly, the adj account of the new recon account and the new recon account shall be grouped together in the financial statements.
Once the P&L and B/S are made, you reverse the above entries. The reversal information is included in the program parameters. -
Changing the RunAs account without reinstalling Workflow Manger
For SharePoint 2013 installation, I need to change the RunAs account.
is it possible to change the RunAs account without reinstalling Workflow Manger/SB Manager without complete uninstall? Even if I remove all servers from the farm, seems like the RunAs account is always in Management db, so RunAs account is pre-populated
with the old account.
Thank youTo change the RunAs account of the Service Bus, use following PowerShell commands:
Stop-SBFarm
Set-SBFarm -RunAsAccount Domain\Username
$RunAsPassword = ConvertTo-SecureString
-AsPlainText -Force
'<password>'
[RunOnAllNodes] Update-SBHost
-RunAsPassword $RunAsPassword
Start-SBFarm
Then open the Service Control Manager and navigate to Workflow Backend Service and change manually the account.
Restart the Wf Service.
Damir Dobric
developers.de
daenet.de
daenet.eu
daenet.com -
Changing the Account an ECMA 2 runs under
Is there a quick and easy way to change the account an ECMA 2 is using - even for specific tasks? My need is that I have developed the ECMA in a Dev domain but need to copy a file to a production share before we move the ECMA into the Production FIM instance.
My Dev account doesn't exist in the production domain so can't be given the permissions.
Cheers,
DaveCollect the credential from GUI of MA so it will be easy to change , for credential from GUI of MA add the below code in your ECMA code
public IList<ConfigParameterDefinition> GetConfigParameters(KeyedCollection<string, ConfigParameter> configParameters, ConfigParameterPage page)
List<ConfigParameterDefinition> configParametersDefinitions = new List<ConfigParameterDefinition>();
switch (page)
case ConfigParameterPage.Connectivity:
configParametersDefinitions.Add(ConfigParameterDefinition.CreateStringParameter("User Name",""));
configParametersDefinitions.Add(ConfigParameterDefinition.CreateEncryptedStringParameter("Password",""));
break;
case ConfigParameterPage.Global:
break;
case ConfigParameterPage.Partition:
break;
case ConfigParameterPage.RunStep:
break;
return configParametersDefinitions;
And try to collect the value as
myUserName = configParameters["User Name"].Value;
IntPtr ptr = Marshal.SecureStringToBSTR(configParameters["Password"].SecureValue);
myPassword = Marshal.PtrToStringUni(ptr); -
SNMP SCOM 2012R2 Troubleshooting...... Any Tips?
Hi all,
So I'm trying to get my UPS trap alerts in SCOM 2012R2 to work. They work in my SCOM 2007R2 environment but I get nothing in SCOM 2012R2. In SCOM 2012R2 I have also been able to receive traps from our Bluecoat so the rule looks to be working.
Device has been configured to point to the SCOM 2012R2 MS used to manage Network devices
I have discovered the device and it is Healthy
I have created a Rule targeted to Node and no OID specified and Rule Cat: Alert
So i really need to know how I can see why the UPS traps are ignored in SCOM 2012R2. I have also used Wireshark to confirm the trap is reaching the server.
SCOM is just not processing the trap. I think it has to do with the targeting but I need to know what to target. I also tried creating a rule targeted to Host and still no luck.
Between SCOM 2012R2 and SCOM 2007R2 the targeting has changed so I can't even replicate the existing setup.
How can i best see why SCOM is failing to alert on these traps?
Just some additional information the UPS is listed as certified in SCOM 2012R2. Sadly the Bluecoat is not certified and its the only one working.
Thanks
MikeThanks Roger,
The SNMP traps are are working for the Bluecoat, so SNMP traps are being received and generating alerts but the traps for the UPS fail to generate alerts on the rule I created. The device was discovered as a SNMP V2 device and Wireshark shows the traps are
delivered to the MS as SNMP v2 traps.
Reading this blog, they use a different method and suggest using an collection based SNMP trap Event. So I guess the SNMP service generates an event on the MS and this rule alerts on that event. Is this correct?
I find it strange that the bluecoat will generate an alert but the UPS won't. The only thing I could see that was different was if I checked the members of the SNMP group the Bluecoat type is listed as a Node and the UPS type is listed as a Host.
I was really hoping to find a way to check a log file or run a trace or something to see why the Rule is not alerting when a SNMP trap is received to the MS.
Thanks for the reply
Mike -
OIM 9.1 DB Recon Changes Locked Account status in OIM back to Provisioned
Hi,
I have a scheduled task that runs the OIM DBAccessReconTask but am seeing some unexpected behavior. Here are the steps to produce the error:
1. Provision a DB account to a user in OIM (this creates an account in the target database and the account shows in the user's resource profile with a status of "Provisioned")
2. Disable the DB account in OIM from the User's Resource profile screen (this successfully disables the account in the database and changes the account status to "Disabled")
3. Run the DBAccessReconTask
4. After the DBAccessRecon task completes the status of the DB account in the database is still disabled but in OIM on the user's resource profile screen it is marked as "Provisioned"
I did not expect this to be changed to provisioned in OIM since it is disabled in the database. Has anyone seen similar issues when running the DBAccessReconTask or know a way to fix this?Hi Suren,
Thanks for the reply. Originally I thought your solution would work but after analyzing it closer there is a more fundamental problem we are having with the DBReconTask. We only want the reconciliation to take place going from OIM to the database and not vice versa (i.e. changes to an account in OIM should be pushed to the database but not from the database to OIM). However, currently if a change is made in the database (a role is added, the profile is changed, etc...) and the DBReconTask is run then it will be updated in OIM. Do you know how this can be achieved? These are the properties we currently use when creating the task:
Properties props = new Properties();
props.put("Target System Login Recon - Resource Object name:", ro.getName());
props.put("Target System User Recon - Resource Object name:", ro.getName());
props.put("Trusted Source Recon - Resource Object name:", "Xellerate User");
props.put("Server", itResource.getName());
props.put("Record Size", "ALL");
props.put("isTrusted", "NO");
props.put("DBName", "nodata");
props.put("ExcludeSystemUsers", "nodata");
props.put("ReconcileLockedUser", "YES");
props.put("Login Name", "nodata"); -
Change Reconciliation account - URGENT !!!
Hi,
Request you to please let me know what is the detailed process of maintaining the balance sheet adjustment account in OBBW and then running the SAPF101 report to allocate the balances in old recon account to new recon account.
This is very urgent so any help right away would be highly appreciated.
(If any one has solved such a problem recently, kindly share your personal number/email ID so that it can be discussed offline)
Thanks in advance,
AdityaHi,
We did change the Vendor Reconciliation account after posting the transaction data. The options are as under:
1. If no transaction data is posted to Customer / Vendor account - it is simple and the reconciliation can be changed in the Master record.
2. If the transaction data is already posted and if you want to change the reconciliation account in the master record, you can still change it. Here, the transaction data already posted will remain the old reconciliation. As and when the old open items are cleared (incoming / outgoing payment) it gets nullified and all the new postings will be reflected in the new reconciliation account.
3. If the Balance is not zero, we can change the reconciliation Account, but we have to maintain a clearing Account / adjustment in Configuration (Transaction code OBBW) and then execute the transaction F101. While executing this transaction select the check box "Change Rec Account". After executing this transaction, this will move the balance to the new reconciliation account.
Thanks
Murali. -
Hello,
The user ask me to change Reconciliation accounts for some vendors and customers.
I've done the following steps:
1/ Set the u201CReconciliation Accountu201D field in the vendor master as optional field (customizing)
2/ Define Adjustment Accounts for Changed Reconciliation Accounts (customizing)
3/ Run Balance Sheet Adjustment Program - F101(FAGLF101 in ECC6)
But, there is no posting, and nothing happened.
My questions :
- What FAGLF101 is supposed to do exactly ?
- The vendor/customers can have open items before executing FAGLF101 ?
Thanks youHi Tarek
I hope you have actually changed your Recon. account
You can change the reconciliation Account in the Vendor or customer Master provided the field Status in your configuration allows changing the Reconciliation Account. Also, it is ideal that you change the reconciliation Account when the balance on the Reconciliation Account is Zero.
To clear the reconciliation Account one option is that you create a new open item managed GL Account and use Transaction FB05 to clear each open item in the vendor Account one at a Time and post on the new open item clearing Account. Then change the reconciliation Account in the master data and then again use FB05 to post the transactions back on the vendor Account one at a time.
Refer - Change the Reconciliation account
Rgds,
Zub -
Change recon account and transfer of Open items from Old recon a/c to New recon a/c.
Hi Gurus,
User want to change recon account for some customer and also wants the open items to be transferred to new recon from old recon account. We follow the following process:
Create a New GL Account for Adjustment Postings
Change the Customer Master Data with regard to new reconciliation account
Update the FI Auto Postings Configuration: Trxn: OBBW (Transaction Key: A00: Transfer postings: changed recon. acct) as under:
Old Reconciliation Account = Adjust Acct xxxx
New Reconciliation Account = Adjust Acct xxxx
4. Run FAGLF101 (ECC 6.0), with the intention, that the Balances / Open Items from OLD Recon would be MOVED to the NEW Recon.
When we execute the last step (4) in “Message” appears the following message:
“Account determination for transaction A00 is missing for account PV PUC
Message no. FR005”.
Where PV corresponds to valuation area and PUC is our chart of account. Furthermore, we run the process of foreign currency valuation at the end of the month.
What configuration is needed, If OBBW and OBA1 already been configured?.
We appreciate any help.Thanks.Thanks for you answer. The link was helpful; however, today we find a solution to the error. In OBA1 when in the transaction appears a window requesting the chart of account, we chose the valuation area (option yellow arrow) and completed the configuration. With this, i could solve my problem, it was simple.
-
Changing reconciliation account on Vendor Master.
Hi All,
We want to change the reconciliation account for 5 Intercompany vendors. The business reason is to differenciate the normal and Intercompany vendors.
I wanted to know how to send the open items from the old reconciliation account to the new reconciliation account for a Vendor.
Thanks
RajanikanthHi Fren,
The reconciliation account can still be changed. However there is some configuration changes needs to be done.
A. Set the u201CReconciliation Accountu201D field in the vendor master as optional field.
Transaction code: OB23 (IMG)
Change both Accounting and Centrally part.
Set the status of u201Creconciliation accountu201D field to optional entry from display only
Next move on to:
B. Define Adjustment Accounts for Changed Reconciliation Accounts
Transaction Code: OBBW
Finally move to,
C. Run Balance Sheet Adjustment Program
Transaction Code: F101
Hope this helps you. -
How to change the account name in Mac OS X via a command line. When I created the account I mistyped the name. I have a management suite where I can execute remote scripts. I would like to run a script that changes the name from oldname to newname.
None of these Macs have been used currently.
Thank you,
BrianIf user account shortname, see Changing user account shortname
Maybe you are looking for
-
Hi, The consumption values which I entered in the forecasting view of the material master are in whole numbers then why are my forecast values coming in decimals? What setting do I need to do so that my forecast values are in whole numbers ands not i
-
Hi guys, I have a unsigned midlet installed in nokia 6600. This midlet opens an http connection and it asks for permission before connecting. I understand this can be solved if I sign my midlet with a trusted certificate. But phone also asks to selec
-
My iPad mini is no longer steaming video. I am not able to view news casts any more? Any ideas, pls help. Thank you.
-
OIM 11GR2 UNIX Connector Reconcile users from UNIX inquiry
Good Day! I would like to ask whether there is a way in OIM that when I reconcile all new users from my UNIX server, OIM will also create the resource which this user is provisioned upon? Here is my scenario: 1.) Freshly installed OIM 11GR2. 2.) Inst
-
i have bought an ipod mini from a friend and it is formatted for pc it wont work on my emac (osx10.3.9) i have restored the ipod on a friends pc but the ipod still only shows up on the desktop and not in itunes when pluggedinto the mac i have read al