Run As Profiles in Operations Manager 2007 R2

One of the new features of R2 that hasn’t received any attention yet (at least to my knowledge) is how we changed the functionality of Run As Profiles.  Today in Operations Manager 2007, you associate a RunAs Account for a particular RunAs Profile on a specific computer.  Pretty straight forward and if I remember correctly, the same as MOM 2005 (haven’t touched it in some time so my memory is vague).  When I was testing my custom ADMP (my lab environment is running on R2), I was caught off guard because I needed to associate a RunAs account with a RunAs profile as part of my testing, and it took me some time to figure out how to configure it correctly (since the on-line documentation for R2 was not updated to provide an appropriate level of guidance). 

In Operations Manager 2007 R2, when associating a RunAs Account for a particular RunAs Profile, you can now target the the profile to any class available in Operations Manager and see the logical relationship between the two.  Take for example a script that we run as a response to a monitor or a script that performs some level of monitoring against a SQL Server database.  Instead of associating the profile with the agent, you can associate the profile with the database instance or the SQL Server Database Engine for that agent.  So any workflow that requires running under a specific set of privileges in order to access the instrumentation correctly, you will be able to target the profile by group, object, and instance class.  This follows the same logic as targeting a workflow today (monitors, rules, discoveries, tasks, etc.).

While today’s management packs for Operations Manager aren’t developed with this strategy in mind, by the time R2 comes out I would expect to see them supporting this. 

Comments (2)

  1. Anonymous says:

    Run As Profiles in Operations Manager 2007 R2 Feed: Matt Goedtel on Operations Management Posted on:

  2. Anonymous says:

    The change in R2 was especially needed for the Cross Platform Extensions (the Unix and Linux "Agents"), where one management server is connecting TO multiple unix machines… and of course they could not have all the same root passwords… now you can associate a different root password for each one of them, even if it is associated to the same runas profile on the same management server. Which solves the problem.

    In MOM2005 it was ONLY possible to associate ONE default "action account" per each machine. If you didn’t, everything was running as "system". If you did, every rule on that agent would be running as that user. so basically you had the concept of runas ACCOUNTS, not of PROFILES.