OpsMgr 2007: More on the Action Account

A couple days ago I wrote about the Action Account Tool that can be used to view and manipulate the action account in System Center Operations Manager 2007 and I wanted to follow up today with a little more information about the account, what it does and how to work with it.  Well, I guess I can’t take all the credit as this information was actually provided by Senior Program Manager Cory Delamarter but here you go:


In addition to the Action Account Tool, action accounts and Run As Profiles can be managed via the Operations Console as well.  In OpsMgr 2007 an Action Account is simply an identity or credential.  Action Accounts are then associated with specific systems Health Service via the use of Run As Profiles.  So in order to alter the default action account for an agent you would open up the Run As Profile of the same name.

This new approach to action accounts has a number of benefits including:

· Credentials, or more specifically passwords, only have to be maintained in one spot – the Action Account’s properties.

· One action account can be used across multiple systems.  This is mainly a repeat of the point above, but you can setup a single action account to be used in various places.

· One system can use multiple action accounts.  In MOM 2005 there was a one to one mapping between an agent and it’s action account.  That mapping/constraint no longer exists since Action Accounts are now bound to Run As Profiles, which in turn are associated with rules/monitors/modules.


For more information see the Ops Mgr 2007 Security Guide at: http://download.microsoft.com/download/7/4/d/74deff5e-449f-4a6b-91dd-ffbc117869a2/OpsMgr2007_Security.doc.  Specifically, pages 21 and Page 10-12 talks about Run As Account, Run As Profiles and the Default Action Account.

J.C. Hornbeck