Changing RunAs account in SCOM 2012R2

Similar Messages

• AD Integration: 1 Forest containing 2 Domains - Run Accounts/Profiles (SCOM 2012)

  I know there are plenty of threads on AD integration & Run As accounts\Profiles, but none quite answering my scenario...so here goes.
  1 Forest containing 2 domains -
  abc.com and
  def.com.
  abc.comcontains SCOM 2012 infrastructure (Mgmt Servers (MS1, MS2), Ops DB, Reporting DWDB).
  abc.com
  1. Created SCOM Admins
  Global Security group
  2. Created SCOM_MS_Action
  domain user account (used during SCOM setup & also Local Admin on all
  abc.com machines via Action Account AD group/GPO)
  3. Ran MomADAdmin.exe DEV-OPSMGR12 "abc\SCOM Admins" abc\SCOM_MS_Action abc.com
  (SCOM_MS_Action
  added to SCOM Admins group as a result)
  4. Created Auto Agent Assign
  rule for abc.com
  against MS1 for "servers", Run As Profile left as
  default setting.
  RESULT: All servers in abc.com
  populated MS_PrimarySG_xxx
  group as expected.
  def.com
  5. Created SCOM Admins
  Global Security group
  6. Created SCOM_AD_Assign
  domain user account 
  7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
  (SCOM_AD_Assign added to
  SCOM Admins group as a result)
  8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
  Do I need to create this?
  9. Set "def\SCOM_AD_Assign"
  Run As account to "More Secure"
  Is"More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
  10. Created Run As Profile "def AD Agent Discovery" & assigned to
  Default Management Pack
  Do I need to create a new Run As Profile?
  Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign
  rule? I was under the impression never to use the Default MP?
  11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
  Run As Profile, targetting "All Objects"
  Is this correct?
  12. Created Auto Agent Assign
  rule for def.com
  against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
  RESULT: def.com contains OperationsManagement\DEV-OPSMGR12
  container but no MS_PrimarySG_xxx
  group exists?
  Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group,
  Object?
  Thanks in advance - I find these Run As accounts very confusing when it comes to multiple domains!

  OK, solved this one myself. To answer my own questions :) this is what needed to be done (whether it's entirely correct or not is up for debate, however I ended up with the result I was after, so I am happy for now):
  def.com
  5. Created SCOM Admins
  Global Security group
  6. Created SCOM_AD_Assign
  domain user account
  7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
  (SCOM_AD_Assign added toSCOM Admins group as a result)
  8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
  Do I need to create this? 
  YES
  9. Set "def\SCOM_AD_Assign"Run As account to
  "More Secure"
  Is "More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
  YES, and added the Management Servers as "...the computers to which the credentials will be distributed"
  10. Created Run As Profile "def AD Agent Discovery" & assigned to
  Default Management Pack
  Do I need to create a new Run As Profile?
  YES
  Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign rule? I was under the impression
  never to use the Default MP?
  Questionable, I did select the Default MP, otherwise the unsealed error occured when creating the Auto Agent Assign rule
  11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
  Run As Profile, targeting "All Objects"
  Is this correct?
  NO, instead I targeted the Class "AD Assignment Resource Pool"
  12. Created Auto Agent Assign
  rule for def.com
  against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
  Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group, Object?
  NO, otherwise alerts appear in regards to abc.com discovery rules breaking. Looks like for additional domains this rule should not be touched.
  RESULT: All servers in def.com
  populated MS_PrimarySG_xxx
  group as expected
  Note: Domain Controllers should not be included in the Auto Assign rules supposedly (makes sense) so I altered the query to ensure they didn't populate in the
  MS_PrimarySG_xxx group:
  (&(sAMAccountType=805306369)(objectCategory=computer)(objectClass=computer)(operatingSystem=*Server*)) (!(primaryGroupID=516))
   (!(primaryGroupID=516)) equates to exclude DCs.
  Hope this helps others
  Steve

• Again - Active Directory Management Pack - AD MP - SCOM 2012R2 - AD 2012R2 - Action / RunAs Account permissions

  Hi,
  after reading many Posts and Blogs i came to the conclusion that it is still unclear to me what is needed to Monitor Active Directory successfully and what is the securest way configuring the RunAs or Action Account. I hope the experts here can make a clear
  Statement to answer the question for all time ;-)
  1. Action Account:
  Here is described what permissions and rights are needed to use a low-privileged account:
  https://technet.microsoft.com/en-us/library/hh212808.aspx
  Now you might say: that was asked and answered so many times..you are right, but the answer was from run as "local System" to "you Need local admin". So also the AD MP documentation still says you Need a local Admin account.
  here are other references which says you Need local admin rights:
  http://micloud.azurewebsites.net//2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
  Even Kevin Holman says here
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/2a0e5a2b-a3d9-42d4-8474-9f690007caa0/opsmgrlatency-cn-gets-auto-created-in-domain-not-configuration:
  "Basically - if your domain controllers are running as local system default agent action account, in most cases you will not need to ever set up any replication monitoring run-as accounts.... as local system on a DC has all the rights necessary. 
  (in most cases).
  "Simple questions: Is this really enought to Monitor every aspect of an ActiveDirectory Domain and Domain Controller using a low privilege account the the permissions in the article? Or is using local System better? Is there a difference when
  using SCOM2012R2 with the new Agent? Most documentation referes to SCOM2007(except the replication Monitoring where it is clear that other permissions are needed:
  http://blogs.technet.com/b/jimmyharper/archive/2009/05/20/configuring-or-disabling-replication-monitoring-in-the-active-directory-management-pack.aspx )

  The MP guide is not really clear about it. The only thing they are clear about is whenever you want to use client monitoring. In those situations low privileged will not work.
  For each of the client-side monitoring scripts to run successfully, the
  Action Account must be a member of the Administrators group on both the computer
  on which the client management pack is running and the domain controller that is being monitored. The
  Action Account must also be a member of the
  Operations Manager Administrators group, which is configured through the Operations console in so that all the scripts that are configured on the Root Management Server can run properly
  Both a local system and domain admin are a risk. If someone loads a malicious management pack that makes changes to the AD services you are screwed. The local system has unrestricted access to local resources including domain services.
  The only reason I don't want a domain admin account in SCOM is that you have an additional layer where the password potentially could be retrieved. That's not the case with a local system account. But the risks are the same.
  See: https://msdn.microsoft.com/en-us/library/ms677973%28v=vs.85%29.aspx
  But this not an answer to your question. :-)

• What rights does AD MP Run as account need on 2012R2 DC's?

  Hi!
  My AD-guy has installed new DC's running Windows server 2012R2, and now SCOM is having trouble monitoring AD, DNS and DHCP. I will now create an account to use in monitoring AD. My question is:
  What rights does this Run as account need to successfully monitor 2012R2 DC's. In my environment use of Domain Admin is serverly restricted - do I really need domain admin rights to monitor an 2012R2.
  I'm alos having touble using Local System with agents on 2012R2. Is there a restriction here? What rights should an action account have on 2012R2 servers? I get a lot of errors saying that teh agent need "rights to log on locally".
  Any help apprecited.
  Best regards Rune Haugen

  Hi Rune,
  Please look at these posts:
  http://adinermie.wordpress.com/2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
  http://blogs.technet.com/b/kevinholman/archive/2009/02/20/getting-and-keeping-the-scom-agent-on-a-domain-controller-how-do-you-do-it.aspx
  As well, check this post in case if your agents are installed manually:
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/5a64e774-3f14-4ecc-93ea-f36db59a4b07/adding-the-active-directory-helper-object-oomads-to-dc-servers?forum=operationsmanagerauthoring
  Natalya

• Changing the password of scom services account.

  hello experts,
  I have installed Single  SCOM Management Server with following services accounts , all the Domain Users account :
  Action Account
  Data Access Service
  Data Reader
  Data Ware Write Service
  also monitoring some of Computers.
  But now I have to change password of all these accounts  from AD,then I wants to know :-
  1. Where change the Password of  these Services Account on SCOM Management server.
  2.Are changing the passwords will effect the working of SCOM and monitoring of computer which are currently under monitoring of scom.

  1. Action account
     http://technet.microsoft.com/en-us/library/hh456432.aspx
  2. Data Access Service and Configuration Service account
    http://technet.microsoft.com/en-us/library/hh456438.aspx
  3. data Reader: reporting services configuration manager --> modify the following acouunts password , Report server service account , curent report server database credential, execution account
  roger

• Running SAPF101 after changing reconciliation accounts

  When I run SAPF101 after changing reconciliation accounts in Customer masters should  see the following adjustments:
  Cr old reconciliation account
  Dr adjustment account
  Cr adjustment account
  Dr new reconciliation account
  this then corrects the balances in the reconciliation accounts for the period end
  and then reverses on the first working day of the next period.
  Is my understanding correct?
  what I am actually seeing is:
  Cr adjustment account
  Dr adjustment account
  and reverse on the first working day of the next period
  My posting results make the exercise meaningless.
  Am I missing some config to complete this exercise in full?
  Help would be appreciated

  After going through this <a href="http://help.sap.com/erp2005_ehp_02/helpdata/en/96/8b335343ce11d189ee0000e81ddfac/frameset.htm">Documentation</a> I realize that your understanding is different from what is described. The recon account will not be invoked in the entry.
  Since we cannot post to a recon account directly, the line items are posted to the adjustment acccount. So, only adjustment accounts will be involved.
  Let's assume there ten line items in a customer account. If four line items have gone to original recon account  and the remaining six line items have gone to new recon account. When you run this program, the line items of original recon account are posted to the adj account of both the recon accounts. The postings to the adj account of the original recon account will negate the effects of the original postings. Therefore both the adj account of the original recon account and the original recon account shall be grouped together, in the financial statements.
  Similarly,  the adj account of the new recon account and the new recon account shall be grouped together in the financial statements.
  Once the P&L and B/S are made, you reverse the above entries. The reversal information is included in the program parameters.

• Changing the RunAs account without reinstalling Workflow Manger

  For SharePoint 2013 installation, I need to change the RunAs account.
  is it possible to change the RunAs account without reinstalling Workflow Manger/SB Manager without complete uninstall? Even if I remove all servers from the farm, seems like the RunAs account is always in Management db, so RunAs account is pre-populated
  with the old account.
  Thank you

  To change the RunAs account of the Service Bus, use following PowerShell commands:
  Stop-SBFarm
  Set-SBFarm -RunAsAccount Domain\Username
  $RunAsPassword = ConvertTo-SecureString
  -AsPlainText -Force
  '<password>'
  [RunOnAllNodes] Update-SBHost
  -RunAsPassword $RunAsPassword
  Start-SBFarm
  Then open the Service Control Manager and navigate to Workflow Backend Service and change manually the account.
  Restart the Wf Service.
  Damir Dobric
  developers.de
  daenet.de
  daenet.eu
  daenet.com

• Changing the Account an ECMA 2 runs under

  Is there a quick and easy way to change the account an ECMA 2 is using - even for specific tasks? My need is that I have developed the ECMA in a Dev domain but need to copy a file to a production share before we move the ECMA into the Production FIM instance.
  My Dev account doesn't exist in the production domain so can't be given the permissions. 
  Cheers,
  Dave

  Collect the credential from GUI of MA so it will be easy to change , for credential from GUI of MA add the below code in your ECMA code
     public IList<ConfigParameterDefinition> GetConfigParameters(KeyedCollection<string, ConfigParameter> configParameters, ConfigParameterPage page)
              List<ConfigParameterDefinition> configParametersDefinitions = new List<ConfigParameterDefinition>();
              switch (page)
                  case ConfigParameterPage.Connectivity:
               configParametersDefinitions.Add(ConfigParameterDefinition.CreateStringParameter("User Name",""));
                        configParametersDefinitions.Add(ConfigParameterDefinition.CreateEncryptedStringParameter("Password",""));
                      break;
                  case ConfigParameterPage.Global:
                      break;
                  case ConfigParameterPage.Partition:
                      break;
                  case ConfigParameterPage.RunStep:
                      break;
              return configParametersDefinitions;
  And try to collect the value as
    myUserName = configParameters["User Name"].Value;
              IntPtr ptr = Marshal.SecureStringToBSTR(configParameters["Password"].SecureValue);
              myPassword = Marshal.PtrToStringUni(ptr);

• SNMP SCOM 2012R2 Troubleshooting...... Any Tips?

  Hi all,
  So I'm trying to get my UPS trap alerts in SCOM 2012R2 to work. They work in my SCOM 2007R2 environment but I get nothing in SCOM 2012R2. In SCOM 2012R2 I have also been able to receive traps from our Bluecoat so the rule looks to be working.
  Device has been configured to point to the SCOM 2012R2 MS used to manage Network devices
  I have discovered the device and it is Healthy
  I have created a Rule targeted to Node and no OID specified and Rule Cat: Alert
  So i really need to know how I can see why the UPS traps are ignored in SCOM 2012R2. I have also used Wireshark to confirm the trap is reaching the server.
  SCOM is just not processing the trap. I think it has to do with the targeting but I need to know what to target. I also tried creating a rule targeted to Host and still no luck.
  Between SCOM 2012R2 and SCOM 2007R2 the targeting has changed so I can't even replicate the existing setup.
  How can i best see why SCOM is failing to alert on these traps?
  Just some additional information the UPS is listed as certified in SCOM 2012R2. Sadly the Bluecoat is not certified and its the only one working.
  Thanks
  Mike

  Thanks Roger,
  The SNMP traps are are working for the Bluecoat, so SNMP traps are being received and generating alerts but the traps for the UPS fail to generate alerts on the rule I created. The device was discovered as a SNMP V2 device and Wireshark shows the traps are
  delivered to the MS as SNMP v2 traps.
  Reading this blog, they use a different method and suggest using an collection based SNMP trap Event. So I guess the SNMP service generates an event on the MS and this rule alerts on that event. Is this correct?
  I find it strange that the bluecoat will generate an alert but the UPS won't. The only thing I could see that was different was if I checked the members of the SNMP group the Bluecoat type is listed as a Node and the UPS type is listed as a Host. 
  I was really hoping to find a way to check a log file or run a trace or something to see why the Rule is not alerting when a SNMP trap is received to the MS.
  Thanks for the reply
  Mike

• OIM 9.1 DB Recon Changes Locked Account status in OIM back to Provisioned

  Hi,
  I have a scheduled task that runs the OIM DBAccessReconTask but am seeing some unexpected behavior. Here are the steps to produce the error:
  1. Provision a DB account to a user in OIM (this creates an account in the target database and the account shows in the user's resource profile with a status of "Provisioned")
  2. Disable the DB account in OIM from the User's Resource profile screen (this successfully disables the account in the database and changes the account status to "Disabled")
  3. Run the DBAccessReconTask
  4. After the DBAccessRecon task completes the status of the DB account in the database is still disabled but in OIM on the user's resource profile screen it is marked as "Provisioned"
  I did not expect this to be changed to provisioned in OIM since it is disabled in the database. Has anyone seen similar issues when running the DBAccessReconTask or know a way to fix this?

  Hi Suren,
  Thanks for the reply. Originally I thought your solution would work but after analyzing it closer there is a more fundamental problem we are having with the DBReconTask. We only want the reconciliation to take place going from OIM to the database and not vice versa (i.e. changes to an account in OIM should be pushed to the database but not from the database to OIM). However, currently if a change is made in the database (a role is added, the profile is changed, etc...) and the DBReconTask is run then it will be updated in OIM. Do you know how this can be achieved? These are the properties we currently use when creating the task:
  Properties props = new Properties();
  props.put("Target System Login Recon - Resource Object name:", ro.getName());
  props.put("Target System User Recon - Resource Object name:", ro.getName());
  props.put("Trusted Source Recon - Resource Object name:", "Xellerate User");
  props.put("Server", itResource.getName());
  props.put("Record Size", "ALL");
  props.put("isTrusted", "NO");
  props.put("DBName", "nodata");
  props.put("ExcludeSystemUsers", "nodata");
  props.put("ReconcileLockedUser", "YES");
  props.put("Login Name", "nodata");

• Change Reconciliation account - URGENT !!!

  Hi,
  Request you to please let me know what is the detailed process of maintaining the balance sheet adjustment account in OBBW and then running the SAPF101 report to allocate the balances in old recon account to new recon account.
  This is very urgent so any help right away would be highly appreciated.
  (If any one has solved such a problem recently, kindly share your personal number/email ID so that it can be discussed offline)
  Thanks in advance,
  Aditya

  Hi,
  We did change the Vendor Reconciliation account after posting the transaction data. The options are as under:
  1. If no transaction data is posted to Customer / Vendor account - it is simple and the reconciliation can be changed in the Master record.
  2. If the transaction data is already posted and if you want to change the reconciliation account in the master record, you can still change it. Here, the transaction data already posted will remain the old reconciliation. As and when the old open items are cleared (incoming / outgoing payment) it gets nullified and all the new postings will be reflected in the new reconciliation account.
  3. If the Balance is not zero, we can change the reconciliation Account, but we have to maintain a clearing Account / adjustment in Configuration (Transaction code OBBW) and then execute the transaction F101. While executing this transaction select the check box "Change Rec Account". After executing this transaction, this will move the balance to the new reconciliation account.
  Thanks
  Murali.

• Change Reconciliation Account

  Hello,
  The user ask me to change Reconciliation accounts for some vendors and customers.
  I've done the following steps:
  1/ Set the u201CReconciliation Accountu201D field in the vendor master as optional field (customizing)
  2/ Define Adjustment Accounts for Changed Reconciliation Accounts (customizing)
  3/ Run Balance Sheet Adjustment Program - F101(FAGLF101 in ECC6)
  But, there is no posting, and nothing happened.
  My questions :
        - What FAGLF101 is supposed to do exactly ?
        - The vendor/customers can have open items before executing FAGLF101 ?
  Thanks you

  Hi Tarek
  I hope you have actually changed your Recon. account
  You can change the reconciliation Account in the Vendor or customer Master provided the field Status in your configuration allows changing the Reconciliation Account. Also, it is ideal that you change the reconciliation Account when the balance on the Reconciliation Account is Zero.
  To clear the reconciliation Account one option is that you create a new open item managed GL Account and use Transaction FB05 to clear each open item in the vendor Account one at a Time and post on the new open item clearing Account. Then change the reconciliation Account in the master data and then again use FB05 to post the transactions back on the vendor Account one at a time.
  Refer - Change the Reconciliation account
  Rgds,
  Zub

• Change recon account and transfer of Open items from Old recon a/c to New recon a/c.

  Hi Gurus,
  User want to change recon account for some customer  and also wants the open items to be transferred to new recon from old recon account. We follow the following process:
  Create a New GL Account for Adjustment Postings
  Change the Customer Master Data with regard to new  reconciliation account
  Update the FI Auto Postings Configuration: Trxn: OBBW (Transaction Key: A00: Transfer postings: changed recon. acct) as under:
  Old Reconciliation Account = Adjust Acct xxxx
  New Reconciliation Account = Adjust Acct xxxx
  4. Run FAGLF101 (ECC 6.0), with the intention, that the Balances / Open Items from OLD Recon would be MOVED to the NEW Recon.
  When we execute the last step (4) in “Message” appears the following message:
  “Account determination for transaction A00 is missing for account  PV PUC
  Message no. FR005”.
  Where PV corresponds to valuation area and PUC is our chart of account. Furthermore, we run the process of foreign currency valuation at the end of the month.
  What configuration is needed, If OBBW and OBA1 already been configured?.
  We appreciate any help.Thanks.

  Thanks for you answer.  The link was helpful; however, today we find a solution to the error. In OBA1 when in the transaction appears a window requesting the chart of account, we chose the valuation area (option yellow arrow) and completed the configuration. With this, i could solve my problem, it was simple.

• Changing reconciliation account on Vendor Master.

  Hi All,
  We want to change the reconciliation account for 5 Intercompany vendors. The business reason is to differenciate the normal and Intercompany vendors.
  I wanted to know how to send the open items from the old reconciliation account to the new reconciliation account for a Vendor.
  Thanks
  Rajanikanth

  Hi Fren,
  The reconciliation account can still be changed. However there is some configuration changes needs to be done.
  A. Set the u201CReconciliation Accountu201D field in the vendor master as optional field.
  Transaction code: OB23 (IMG)
  Change both Accounting and Centrally part.
  Set the status of u201Creconciliation accountu201D field to optional entry from display only
  Next move on to:
  B. Define Adjustment Accounts for Changed Reconciliation Accounts
  Transaction Code: OBBW
  Finally move to,
  C. Run Balance Sheet Adjustment Program
  Transaction Code: F101
  Hope this helps you.

• HT1428 How to change the account name in Mac OS X via a command line. I did a type-o on the account name. So instead of it saying "Company" it says "Comany"  for the account logon.

  How to change the account name in Mac OS X via a command line. When I created the account I mistyped the name. I have a management suite where I can execute remote scripts. I would like to run a script that changes the name from oldname to newname.
  None of these Macs have been used currently.
  Thank you,
  Brian

  If user account shortname, see Changing user account shortname