How to Change the SCE Run As and Data Warehouse Accounts in EBS

  • Article

[Today's post comes to us courtesy of Mark Stanfill]

By default, EBS configures SCE to use the domain administrator account used during setup as the Default Action Account and also as the Data Warehouse account. These accounts are used to accomplish monitoring activities, such as executing a monitor or running a task.  Using the built-in administrator is a reasonable setting for many environments, but there may be domains where it is desirable to change the account. The scenarios where it may be desirable to change the default account include:

  • Auditing - A SCE Run As account will generate a lot of events as it logs on, runs scripts, collects data, etc. It may be useful to isolate this account to make anomalies in auditing for the Administrator account more easily noticeable.
  • Separating Roles - The business may have a policy concerning the use of service accounts or otherwise prohibiting the use of the built-in administrator for daily use.
  • Disabling the built-in Administrator - there are many references to why it is a good idea to disable the built-in Administrator account. In general, these same considerations apply to EBS, with the understanding that the additional steps outlined in this article need to be implemented.
  • Creating an account with a non-expiring password - This is a common request to avoid SCE from failing to update when the account's password expires (every 42 days by default - see this post for more details). In this scenario, a new account with a non-expiring password is created to replace the built-in Administrator account. It is still recommended that the account's password be periodically changed according to your company's security policy, but this avoids the account from failing to report if someone forgets to change it manually.

Note: In this article, we will refer to the default account as the Administrator account. If you installed EBS with a different Domain Admin account, substitute that account in the steps below.

Creating a New Account

To create a new Run As account, first create a new account using the steps outlined in https://technet.microsoft.com/en-us/library/cc463410.aspx. Make the user a member of Domain Admins and the Performance Monitor Users group. If desired, modify password expiration setting on the account. Because the account will log on locally to the EBS Management Server, it does not require a CAL.

By default, the account will have "User must change password at next logon" checked. This must be deselected to prevent logon errors.

image

Low-privileged accounts

Most installations of EBS will make the Run As account a member of the Domain Admins group and the Performance Monitor Users group for ease of use and to prevent Management Pack errors. Using a lower-privileged account requires a working knowledge of every MP installed on the system. If you choose to go down this route, make sure you read the deployment guides for the MPs installed on your system and understand the user rights needed. This would include the 9 MPs installed on EBS by default.

The minimum privileges required for an action account are:

Member of the local Users group

Member of the local Performance Monitor Users group

Allow log on locally permission (SetInteractiveLogonRight)

https://technet.microsoft.com/en-us/library/bb735419.aspx provides more details about running SCE and SCOM with low-privileged accounts. Of particular note from the article are the points:

  • A low-privileged account can be used only on computers running Windows Server 2003, Windows Server 2003 R2, and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System.
  • A low-privileged account is all that is necessary for agents that are used to monitor domain controllers.
  • Using a domain account requires password updating consistent with your password expiration policies.
  • You must stop and then start OpsMgr Health Service if the action account has been configured to use a low-privilege account and the low-privilege account was added to the required groups while the OpsMgr Health Service was running.

Assigning the Account

Once the account has been created and "User must change password at next logon" deselected, you are ready to create the new Run As Account.

1. Open the SCE Console and navigate to Administration\Security\Run As Accounts. Right-click and choose "Create Run As Account... "

image

Note: The administration node is shown as only an icon in the SCE console by default. Click on the gear icon in the lower left-hand corner to access administration.

image

2. Click Next on the Introduction screen. On the General screen, select Action Account from the "Run As Account type:" drop-down menu. Fill out a display name and description if desired. Click Next to continue.

image

3. On the Account screen, type in the logon name of the Windows account you created and type the password in both the Password and Confirm password fields. Verify the domain name. Click Create to add the Run As account.

image

4. Again run the Create Run As Account Wizard. This time, choose Windows for the "Run As Account type:". Follow the prompts to complete the wizard.

image

5. Navigate to Administration\Security\Run As Profiles. Double-click on the Default Action Account. Locate the Run As Account Entry on the Management Server (it should be DOMAIN\Administrator), and click "Edit... ".

image

6. On the Edit dialog, select the new Run As Account from the drop-down menu and click OK. Click OK again to dismiss the account properties dialog.

image

7. Repeat the process for these accounts:

  • Data Warehouse Account
  • Data Warehouse Report Deployment Account
  • The 3rd "Reserved" run as profile (on a default EBS install will have the Data Warehouse Action Account listed on its Run As Accounts tab. Verify this by opening the properties of the Reserved run as profile)

image

  • Any additional Run As accounts listed on the Data Warehouse Action Account's Run As Profile tab (there should be one instance of 'Reserved' by default). It is safe to edit the "Reserved" run as profile in this case if the Administrator account is listed on its Run As Accounts tab.

image

8. Navigate back to Administration\Security\Run As Accounts and delete the DOMAIN\Administrator and Data Warehouse Action Account. The accounts may be left in place if desired.

9. Open SQL Management Studio Express (Start\All Programs\Microsoft SQL Server 2005\SQL Server Management Studio Express). Connect to your Management Server's SCE instance (MANAGEMENTSERVERNAME\SCE)

image

10. Navigate to Security\Logins under the MANAGEMENTSERVER\SCE instance, right-click on Logins and choose "New Login... ". Use the Search button to locate your new account. Keep the defaults of Windows Authentication, Default Database, Default Language.

image

image

11. Navigate to Databases\OperationsManager\Security\Users. Right-click on Users and choose "New User... ". Create a new SQL user account with the following settings:

  • User Name: SCE Account Name
  • Login Name: Search and find your new account
  • Schemas owned by this user: None selected (default)
  • Database role membership:
    • configsvc_users
    • dbmodule_users
    • sdk_users

 

image 

 

image

12. Navigate to Databases\OperationsManagerDW\Security\Users. Right-click on Users and choose "New User... ". Create a new SQL user account with the following settings:

  • User Name: SCE Account Name

  • Login Name: Search and find your new account

  • Default schema: [leave default - choosing db_owner will change it to dbo]

  • Database role membership:

    • db_owner 
    • db_datareader
    • db_datawriter
    • OpsMgrReader
    • OpsMgrWriter

image

image

 

13. Navigate to Databases\OperationsManagerDW\Tables\dbo.ManagementGroup. Right-click on dbo.ManagementGroup and choose Open table. In the resulting table on the right-hand side, locate the WriterLoginName column. It should be populated with an entry for DOMAIN\Administrator. Click on the entry and enter the name of the SCE account in the form DOMAIN\SCEAccount, where "SCEAccount" is the account name of your new account.

 

image

 

 

14. Restart the following services:

  • SQL Server (SCE)
  • OpsMgr Config Service
  • OpsMgr Health Service
  • OpsMgr SDK Service

15. Check Event Viewer for any relevant errors.

Notes:

1. If you perform a replacement mode installation or uninstall and reinstall SCE, the account will be set back to the domain administrator account used during installation and must be reset.

2. If the Administrator's password has expired or been reset as described here, you must first ensure that the server is reporting back correctly as described in the linked article. Failure to do so will result in the DOMAIN\Administrator (Alternate Account) being re-designated as the Default Run As Account every time the OpsMgr Health Service is restarted.

3. Renaming the Administrator account has the same effect as changing the Run As account to use another Active Directory account, and the steps above must be followed. In general, it is better to disable the account rather than rename it, as this prevents few true attacks.

4. For a general reference on changing SCOM/SCE accounts, see https://blogs.technet.com/cliveeastwood/archive/2007/06/22/kb936220-amended-how-to-change-the-credentials-for-the-opsmgr-sdk-service-and-for-the-opsmgr-config-service-in-microsoft-system-center-operations-manager-2007.aspx

5. As always, make sure you have a complete system backup before making these changes.

Special thanks to Sam Allen for his assistance in writing this article.