Using Run As Account credentials

Similar Messages

• Run As Account Credentials Distribution (More Secure option)

  Hi
  I am bit confused "in which scenarios, we should distribute Run as Account credentials to Resource Pool".
  I mean we have bydefault three Resource Pools (AD Assignment, All Management Servers and Notification Resource Pool) in SCOM and we create two more pools basically for Network Device Monitoring and Unix/Linux Monitoring.
  Lets take an example- I have to discover and monitor Unix computers and Network devices. So I have configured one Run As Account for Unix Monitoring and one SNMP v2 Run as account for Network Device Monitoring. So in these both scenarios, on which basis
  I should distribute these Run as Account credentials and to which computers/resource pools?
  Please let me know if anybody know about this.
  Thanks in advance.
  Abhinav | MCTS-Server Virtualization

  For Unix runas account, you should distribute the account to all UNIX machines and SNMP runas account is distributed to machines which run the network discovery rule.
  Roger
  This is not correct.
  For UNIX/Linux monitoring, the credentials should be distributed to your custom "UNIX/Linux monitoring resource pool" or whatever your choose to call it. There is no UNIX/Linux monitoring resource pool out of the box - you need to create one, and
  it can be any combination of management servers you want (or you certainly can use the all management servers resource pool if you have a small environment and no dedicate UNIX MS's).
  For network monitoring (SNMP), the credentials are automatically distributed to the correct entities when you create the account in the discovery wizard (to network discovery servers class or something like that - I don't have a console in front of me...).
  There is no need to manually set up distribution of these credentials.
  Please answer responsibly.
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Using HTML DB account credentials

  Using HTML DB account credentials and login page, I created two groups - one for managers and one for users. The schema is to be shared and has other groups that should not be allowed to view the application. When setting rights on the page items (queries, tabs), only one group can be added. I would like managers to be able to view pages 1,2, and 3 and users to be able to view pages 1 and 2. When granting the managers rights to page 3 and users rights to page 1 and 2, this works fine for the users, but managers cannot view pages 1 and 2. If I add managers to the users group, they cannot access page 3. What is the best practice for doing this?

  Thank you for responding. I apologize for being Anonymous, that was not my intention. I implemented the authentication scheme by going to the Page Definition and selecting the Region. Going down to the Authorization section, I selected an Authorization Scheme with the users that I wish to have permissions. The ability to use compound rules sounds like what I need.
  Doris

• Why can't I connect one Windows 8.1 PC to other Windows 8.1 PCs in my workgroup when using a Microsoft Account?

  I finally decided to convert some of my local accounts to Microsoft Accounts on my Windows 8.1 PCs. Big mistake to this point.
  I have two PC's with the same Microsoft Account set up, neither PC can browse to the other or map a drive through browsing.
  I'm not using a homegroup. My daughter has one setup on her laptop and desktop, and I don't want my PC's on her homegroup. Until Microsoft makes it possible to have 2 homegroups on the same subnet, this is not an option.
  The local accounts on both PC's have no problem browsing, mapping, etc. I can connect to the other PC's just fine using local accounts, so I know physical connectivity isn't an issue, neither is my anti-virus or really anything else system wide on either
  computer. 
  I just can't attach automatically using a Microsoft Account. I have to manually map a drive every logon/reboot.
  I have also found that running a logon script doesn't work. The drives will not map automatically.
  The Microsoft Account users can map a drive using "Connect using different credentials." However, the credentials don't hold across reboots.
  I can manually (using either a Microsoft Account or a local account) map a drive using "net use" which then opens up all of my mapped drives and allows for browsing to the other PC. However, this doesn't work across reboots/logons either.
  Entering credentials in the Credentials Manager (Whether I use the Microsoft Account credentials or one of the local user credentials) doesn't work across reboots either.
  Yes, I have the same Microsoft Account setup on both PCs. I have tried giving them both Admin and Standard user rights on both PCs.
  I have turned off UAC as recommended in some posts.
  Again - This problem is ONLY related to MICROSOFT ACCOUNTS, not local accounts.
  I have put a batch file on the desktop with a "net use" statement in it to connect as a work around, but this is very annoying and truly unacceptable. Is there anyway to make this work seamlessly without running a batch file or something else where
  the password exists on the PC in clear text?
  I can't find other posts asking this question - am I the only one who is trying to do this? What memo did I miss?
  Thanks for any help!

  Hello Steve Hengen,
  I apologize for the delay.
  I have test in my own environment and can normally map the network driver when logon as Microsoft account.
  Do you check the option Reconnect at logon?
  If you use Connect using different credentials, do you check the option Remenber my credentials?
  Please take a look at the following article about map a network drive.
  http://windows.microsoft.com/en-HK/windows-8/create-shortcut-to-map-network-drive
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• What windows account to use as proxy account to schedule a package to run in sql server 2005 job

  I have successfully set up a credential and proxy in SQL Server 2005 to run a SSIS 2005 job under my windows account. The problem I got is the password of  my account will expire sometime so the job execution will fail until I change the password
  in the credential. I am thinking either to ask our IT administrator to set my account to password never expire or use a different account for the credential. I have very limited knowledge regarding windows security. So if I go the second option what account
  should I use for the credential/proxy? I need to know about this before asking our IT admin.

  It must be a domain wide service account (with a strong, non-expiring password), not a private account with just enough rights to run packages (this implies the account must be able to connect to remote data sources and shares). Oftentimes, such
  an account also needs write access to the %temp% directory.
  Arthur My Blog
  Thanks. I will try to tell our admin see if it makes sense to him.

• Connect to DataBase programmatically with Integrated Security in SharePoint - which account credentials are used?

  Hi to All!
  I have a simple question. I connect to DataBase programmatically, using SqlConnection and Integrated Security in connection string. It works! But I cannot understand -  which account credentials are used? My Windows account(under which I was logged
  in) or NetworkService Account, or something else?
  If I was logged in as FBA user in SharePoint - what in this case?

  Hi MaryBath,
  When you use integrated security = true it means the same as integrated security = SSPI and in this case the current Windows account credentials are used for authentication and if you set the integrated
  security = false you have to provide UserName and Password . so for your question it uses the current windows account credentials.
  here is the Microsoft link for the same...
  https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(VS.71).aspx
  If your code is executing on server in SharePoint (in webparts or features or application page). it will take the windows account of the server to connect to the database because all are executing on server not on client machine. your
  login credentials has nothing to do with it.
  Note: there are 2 authentication Windows Authentication and SQL Authentication so make sure that on database windows authentication is enabled (it will only work when windows authentication is enabled....
  Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

• SCOM2012 Need to use Powershell to reset the RUNAS Configuration account passwords

  I Need to use Powershell to reset the SCOM2012 RUNAS Configuration account passwords... could anyone help me with this?

  Hi BenStu,
  Have you checked the cmdlet
  "Update-SCOMRunAsAccount" to change the RunAs account password.
  This script is for your reference:
  $username = "<domain>/<user>"
  $password = cat C:\temp\securestring.txt | convertto-securestring
  $newcred = new-object System.Management.Automation.PsCredential $userName,$password
  Get-SCOMRunAsAccount –name "OMWindowsRunAsOM" | Update-SCOMRunAsAccount –RunAsCredential $newCred
  Refer to:
  Tracking down where Operations Manager stores information – Part 7               
  If there is anything else regarding this issue, please feel free to post back.
  Best Regards,
  Anna Wang

• Job Will Not run due to credentials

  I am attempting to set up a job to run a MSDB package stored on my server. The job is failing and giving me the error below in the history log. I have several other jobs that run MSDB packages with the same credentials and they run fine. Why would this be
  failing. I have tried using a local account, but that fails as well. I am using windows authentication and the SDC\Administrator is the main admin account on our domain.
  the job failed. It was invoked by SDC\Administrator. The last step to run was step 1.
  **Update** My job is executing with an account called Tailwind\Systems. Tailwind is the server name and consequently a user name in our sql server 2012 instance. I cannot figure out how to make it execute as another account**

  OK so start to finish.
  I have a file saved in a directory on the same server sql server 2012 is running on.
  Next I create a db and import that file in and allow the table to get created.
  Next I import again this time electing to delete existing rows and using the package do not use encryption.  I accept all defaults and save in sql server
  Now that the package has been saved I create a new job and create a step that calls this package to run it. I leave all defaults including the owner which is the Windows admin account.
  I run the job and get the error. I run the package manually and it runs. The funny thing is, this is the way I have always done it and never had this issue. I have other jobs that still successfully run packages but are in other db's. I test by creating
  a new import package and job to run but from within the already existing db and it works. So it seems to be a permission somewhere that I have yet to find.

• Run as account and profile associate

  Dears,
  Sorry I am new to Managing Linux in SCOM, so I have a 2 questions.
  In below link:
  http://technet.microsoft.com/en-us/library/hh212926.aspx
  it is mentioned that we have to create 2 type of Run as accounts:
  A monitoring account
  An agent maintenance account
  It is mentioned that we have to associate the Run as accounts with profile as below:
  UNIX/Linux Action Account:
   Add a monitoring Run As account that has unprivileged credentials, to this profile.
  UNIX/Linux Privileged Account:
   Add a monitoring Run As account that has privileged credentials or credentials to be elevated, to this profile.
  UNIX/Linux Agent Maintenance Account:
   Add a monitoring Run As account that has privileged credentials or credentials to be elevated, to this profile.
  Questions are:
  Why we have to associate "Monitor Run as account" with "UNIX/Linux Agent Maintenance Account" ?
  What if we associate "Agent maintenance account" with "UNIX/Linux Agent Maintenance Account" ?
  When we will use the "Agent maintenance account"?
  Thank you

  Hello,
  The "Agent Maintenance" account type is for use with the ssh protocol. It allows for the use of ssh key authentication and su elevation (as an alternative to sudo elevation).  Therefore, it is not compatible with any Run As Profile other than the Agent
  Maintenance profile.  The Action & Privileged account profiles are used for "monitoring" operations with the WS-Man protocol, and don't support the ssh-specific options for the Agent Maintenance account.  A "Monitoring" account type can be used
  in all three profiles, but the "Agent maintenance" account type can only be used in the Agent Maintenance Account profile.
  To address your questions directly:
  Why we have to associate "Monitor Run as account" with "UNIX/Linux Agent Maintenance Account" ?
  The documentation here looks like it could be improved. An account type of Monitoring or Agent Maintenance can be used in this profile.
  What if we associate "Agent maintenance account" with "UNIX/Linux Agent Maintenance Account" ?
  This is completely OK.
  When we will use the "Agent maintenance account"?
  The agent maintenance account is only used in two cases: 1) when you upgrade existing agents and 2) when you uninstall existing agents.  Ultimately, it is an optional profile. 
  I hope this helps,
  Kris
  www.operatingquadrant.com

• Local account credentials and licensing

  Hello, we have a Windows 2008 R2 server used for terminal services.
  The server is configured and is working fine.
  All domain users can login without issues.
  If we login with a domain administrator account, this server successfully contacts the license server and validates.
  However, we have the server locked with a local administrator account, as there is an application that runs in the background.
  Because of this, we are encountering the error: "The Remote Desktop Session Host Server Configuration tool is running with local account credentials. In Licensing Diagnosis, the Total Number of licenses Available value may be inaccurate." It gives
  the warning that we have a number of days before the remote services is disabled.
  Obviously we don't want this to happen.
  My questions is if this will actually be disabled, even though we have validated with the license server before with a domain account?
  Do we have to have server locked with a domain account to get rid of this error?
  Many Thanks,
  Ravi

  Hi Ravi,
  Thank you for your posting in Windows Server Forum.
  Yes, to get rid from this error and for better result you must always attach License server with Domain account. Means you need to join the server to a domain. Because the error which you are facing is due to “Issue with Credential” as License server
  can’t identify the local user account credentials. In your case, you need to lock server with domain account. 
  Please check below article.
  Licensing Diagnosis: Problems and Resolutions
  http://blogs.msdn.com/b/rds/archive/2008/02/01/licensing-diagnosis-problems-and-resolutions.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Connect Coldfusion 9 to SQL using intranet users windows credentials

  Is it possible to use pass through / integrated authentication using the application users windows account (rather than the service account) when a Coldfusion application connects to an MS SQL DB?
  For background, we are running:
  ColdFusion 9,0,1,274733 hosted on a Windows 2008 R2 (64) server
  SQL server 2008 R2 hosted on a Windows 2008 R2 (64) server
  IE 8 and/or 9 as the client browser
  I have an intranet application that is used only by users within our AD domain. I have no problem getting ColdFusion to connect to the SQL database using the ColdFusion service account, but ideally we would like the connection to be made under the application user's account.
  I would appreciate any guidance on how to achieve this if it is possible?
  (I am not a webmanager/developer and so my ColdFusion knowledge is very limited!)
  Thanks in advance,
  Darren

  Again, thanks for the responses - it is nice to be able to talk through these things (I work in a fairly small organisation and so do not often get to talk through technical subjects with other professionals!)
  Firstly, to respond to BKBK, I have been considering that approach, though unless I have missed something, I would either:
  1. have to use simple authentication - in which case a users windows credentials would be passed as Binary_Base64 (i.e. clear text) - and possibly would need to replicate all AD accounts as SQL server accounts (not sure in that account replication bit as I may be able to still get it to authenticate as a windows account from the SQL engine - but the clear text passwords is the real problem), or:
  2. have to use form based credentials, in which case the users would have to 'login' to the application - I am trying to avoid this to make it as seamless for the users as possible.
  Neither of those approaches are ideal (unless, as I say, I am missing an option there) and so I am more inclined to use a single SQL account from the datasource definition and control access from a combination of the application and the database.
  Secondly, to respond to Dan.
  I agree, it would be no good for User A to receive an error if they tried to run a proc that they do not have permissions for. However, if these errors occur they are captured and handled gracefully in both the application suite and the database.
  Aside from this, the application does not provide the ability for user A to execute procedure 7 (from the example in my previous post) - which I guess is what you are saying with " Whatever UI control User B has to run sp 7 cannot be available to User A".
  The reason for controlling physical permissions in the DB was that:
  1. it is universal for all interfaces with that database - so long as integrated auth is used
  2. it provides a belt and braces approach (as parts of this application has sensitive data) - so that if somehow user A gets the web application to call procedure 7 then the DB would still prevent it
  For thought/discussion:
  I think I will end up using a single account from the datasource, but make it a datasource that can only be called from AD users accessing the application (though only AD users can access the application which achieves this already).
  Any call to the database must include the CGI variable "AUTH_USER" as an input parameter.
  The DB will then:
  1. check the account that is logged in to the SQL engine (to ensure a user hasnt bypassed coldFusion and gone straight to the DB - though Group permissions are already set for this scenario)
  2. Check the user supplied as a parameter exists in AD and is an active account
  3. and check the permissions of that user for the particular task that was requested of the DB engine. - execute if permissable, gracefully refuse with appropriate messages passed back if not.
  This combined with the control in the application to only present the right functions to the right user should give me the belt and braces that we are after - all be it in a bit of a convoluted way!
  I guess the big question is how easy/difficult is it to fake "AUTH_USER"?

• How do I change the icloud account on my iphone? I want to use the same account for all my apple devices (macbook air and imac and iphone). I can't see where I can amend the iphone account because it is in grey?

  I want to use the same account for all my apple devices (macbook air, imac and iphone). I can't see how I can amend the iphone account because it is in grey? I also can't remember the password for this account so i can't even delete it and start again?
  Help!
  Thanks

  Deleting an iCloud account only deletes it from the Device, not from iCloud.  In iOS 8, the name of this setting changed to "Sign Out" as that is a better reflection of what actually happens.  Your iCloud data remains on the server, available to devices still signed into the account, but the device you sign out of the account on is disconnected from the account, and as a result, the iCloud data from that account is removed from the device.  It will redownload to the device should you sign back into the account.
  The only issue you'll run into when you switch between accounts is with my photo stream photos older than 30 days.  When you delete (or sign out of) and account, your photo stream photos are deleted along with the other data from the account in question.  However, unlike other data which remains on the server and can redownload to your device when you sign back in, my photo stream photos only remain in iCloud for 30 days.  When you sign back in, you will only get back my photo stream photos added in the last 30 days (as older photos are no longer in iCloud to redownload).  Like other account data, any my photo stream photos on your other devices signed into the account are unaffected by this.  If you want to keep older my photo stream photos on your device as you change iCloud accounts, save them to your camera roll before deleting (signing out of) the account.

• Need help in using [RUN PROGRAM] Activity against a server in another domain

  Hi Experts,
  We have two domains with two way trust enabled. Orch server exists in DomainA and target server exists in DomainB.
  We are trying to execute some scripts(g:IPCONFIG) from orch server to target server using RUN PROGRAM activity. This is  running fine and give expected results, if I give Built-in Administrator credentials in Security Tab. But I'm getting some
  strange values like chinese/japanese language strings, If I use a DomainB/DomainA user (Part of local admin of the target server) in security tab as well as Advanced tab-->Runas.
  Things I tried:
  - DomainA/DomainB user in Security Tab as well as RunAs tab  ---> Strange Strings
  - DomainA/DomainB user in Security Tab and BuiltIn Administrator in RunAs tab  ---> Strange Strings
  - BuiltIn Administrator in Security Tab ---> Expected result
  - BuiltIn Administrator in Security Tab and DomainA/DomainB user in RunAs tab  --> ProgramExitCode = -10xxxxxx
  But our requirement is to run the script on the target server as Domain User(Part of local admin).
  Thanks in Advance
  Thanks and Regards, Narayana Babu

  Hi Experts,
  We have two domains with two way trust enabled. Orch server exists in DomainA and target server exists in DomainB.
  We are trying to execute some scripts(g:IPCONFIG) from orch server to target server using RUN PROGRAM activity. This is  running fine and give expected results, if I give Built-in Administrator credentials in Security Tab. But I'm getting some
  strange values like chinese/japanese language strings, If I use a DomainB/DomainA user (Part of local admin of the target server) in security tab as well as Advanced tab-->Runas.
  Things I tried:
  - DomainA/DomainB user in Security Tab as well as RunAs tab  ---> Strange Strings
  - DomainA/DomainB user in Security Tab and BuiltIn Administrator in RunAs tab  ---> Strange Strings
  - BuiltIn Administrator in Security Tab ---> Expected result
  - BuiltIn Administrator in Security Tab and DomainA/DomainB user in RunAs tab  --> ProgramExitCode = -10xxxxxx
  But our requirement is to run the script on the target server as Domain User(Part of local admin).
  Thanks in Advance
  Thanks and Regards, Narayana Babu

• I have activated 2 iPhones using my iTunes account, but I now would like to take one iPhone off this account, and start its own iTunes "pairing" in order to back up, without cross syncing between purchases, how can I do this?

  I have activated 2 iPhones using ONE iTunes account, but I would now like to remove one iPhone from the account and add it to a new iTunes account. This is so that I can back it up without cross syncing between purchases/apps on both iPhones.
  Whats the best method for this?
  I'm running Windows 7
  Many thanks

  Whenever a menu choice is grayed out, that is because you have Restrictions turned on in Settings.  Be sure to turn it off.
  You are confusing an itunes store account with an icloud account.  You two can continue using the same ID for itunes (thus sharing purchased music, apps, etc.), but you really should have separate accounts (different IDs) for icloud, since an account is intended for one user to keep his/her devices in sync.
  To create a new icloud account, go to
  http://www.apple.com/icloud/setup/
  Then go to Settings>icloud and scroll to the bottom of the screen and tap Delete Account.  (have restrictions turned off)  That will disconnect the device from the account but will not delete data in icloud or other devices.  Then sign in using the new ID.

• How to update software on multiple iPhones using same iTunes account?

  How to update software on multiple iPhones using same iTunes account?

  SeanB15 wrote:
  Here are more details on my situation which should help clarify things...
  I purchased three iPhone 4 models back when they first came out (for my family) that all share the same iTunes account for access to apps and music, but each phone/user still has his/her custom contact list, email accts, and select lists of apps and music from the one iTunes acct library.  The problem is (as I understand it) that I can only update the software on one of the three iPhones – the primary phone I used to setup the iTunes acct without wiping out the separate contact lists, etc. As it stands today... the first (primary) iPhone associated with the iTune acct has been updated with the latest software version 5.1.1 and sync'd up with all the apps, music, etc from the one iTune acct, while the other two iPhones are still running on the original software version 4.0.2 and are experiencing problems now. I was advised by AT&T back in January that it would be necessary to setup separate iTunes accts for the second and third iPhones in order to receive system updates and still be able to manage separate contact lists, etc. If I go this route, I assume we will lose all the apps on phones #2 and #3 that we have been "sharing"... correct? Since this AT&T advice was prior to iCloud coming out, would iCloud be a better solution or at least part of the solution? I really don't yet understand how iCloud works. Hopefully, one of you can help me??
  we have 2 iphone 4's synced to the same itunes account for apps and music since the day we bought them, but each has a different icloud acct. they have both been updated on the same itunes account with every update that has come out since we bought them in december of 2010. nothing on either phone has ever been lost or duplicated. having said all that, maybe i'm missing something here, but we have had no problems. we do have itunes setup to sync manually. i do believe i'm a piker compared to lawrence finch, but i'm just telling you what happens in my house. maybe check with apple? is there a store near you?