OpsMgr 2007: Viewing and changing the Action Account

During the course of your OpsMgr 2007 admin duties you may find it necessary to view or change the action account that OpsMgr uses to run processes and scripts and much much more. 

So what is the action account?  Several MOM processes run under this account, including the processes that host MOM response scripts and managed code responses. The main purpose of the action account is to control the permissions and security for these processes and the scripts and assemblies that they execute. 

With MOM 2005 we could use the SetActionAccount.exe utility to view the current action account settings or to change the account entirely.  This utility came with the product and is documented here:

https://msdn2.microsoft.com/en-us/library/ms824552.aspx

There's even an update to this tool that allows you to specify the password for the account which is something that was missing from the original version.  You can find that update here:

KB894464 - The SetActionAccount.exe utility that is included with the original release of Microsoft Operations Manager (MOM) 2005 does not support an option to provide a password for the account (https://support.microsoft.com/kb/894464/en-us).

So that's all great and all but where is the SetActionAccount.exe utility for Operations Manager 2007?  Well, with OpsMgr 2007 we have a new way to modify the action account: The Action Account Tool.  This is a PowerShell script that essentially allows you to do the same things as SetActionAccount.exe and it's available for download from here:

https://www.microsoft.com/downloads/details.aspx?FamilyID=1d9a8d81-0e42-4076-88a9-8e6c08993054&DisplayLang=en

The tool includes instructions for it's use but I'll include them below just as a reference.  Just remember that for the latest information please review the instructions included in the download package itself.

======

This Windows PowerShell script allows you to set the action account on multiple computers. You will need to download the set-ActionAccount.ps1 script to the computer that hosts the Operations Console and Operations Manager 2007 Command Shell.

You can specify the computers you want to change the action account for by either creating a new computer group or by selecting a computer group from discovered inventory. Both procedures are described in the following sections. For the purposes of these procedures, it is assumed that the set-ActionAccount.ps1 script was downloaded to a user's My Documents folder on the C drive.

To set the action account on multiple computers in a new computer group

1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group.

2. In the Operations Console, click the Monitoring button.

Note: When you run the Operations Console on a computer that is not a Management Server, the Connect To Server dialog box displays. In the Server Name text box, type the name of the Operations Manager 2007 Management Server that you want the Operations Console to connect to.

3. In the Monitoring pane, right-click Monitoring, point to New, and then click State View.

4. In the Properties dialog box, in the Name text field, enter a new name for this view (for example, My Computer Group).

5. On the Criteria tab, in the Show data related to list box, click the ellipsis (…) button.

6. In the Select a Target Type dialog box, in the Look for text field, type Computer Group, click View all Targets, select Computer Group in the list, and then click OK.

7. In the Properties dialog box, click OK.

8. In the Monitoring pane, expand Monitoring, and then click the view you just created (for example, click My Computer Group).

9. In the results pane (for example, the My Computer Group results pane), right-click the computer group containing target computers that you want to change the action account for, click Open, and then click Command Shell.

10. In the Windows PowerShell window, type the path to the script followed by the name of the script, then followed by the action account you want to change to. For example, type c:Documents and Settings\<user>\My Documents\set-ActionAccount "ActionAccount", (where "ActionAccount" is the action account that you want to set on multiple computers), and then press ENTER.

To set the action account on multiple computers using discovered inventory

1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group.

2. In the Operations Console, click the Monitoring button.

Note: When you run the Operations Console on a computer that is not a Management Server, the Connect To Server dialog box displays. In the Server Name text box, type the name of the Operations Manager 2007 Management Server that you want the Operations Console to connect to.

3. In the Monitoring pane, expand Monitoring, and then click Discovered Inventory.

4. In the Actions pane, expand State Actions, and then click Change target type.

5. In the Select a Target Type dialog box, select View all targets.

6. In the Look for text box, type Computer Group.

7. In the Target column, click Computer Group, and then click OK.

8. In the Discovered Inventory (Computer Group) results pane, right-click the computer group containing target computers that you want to change the action account for, click Open, and then click Command Shell.

9. In the Windows PowerShell window, type the path to the script followed by the name of the script, then followed by the action account you want to change to. For example, type c:Documents and Settings\<user>\My Documents\set-ActionAccount "ActionAccount", (where "ActionAccount" is the action account that you want to set on multiple computers), and then press ENTER.

J.C. Hornbeck