MOM 2005: The Action Account (or better yet ... The Action Account?!)

During the installation of MOM 2005, you established an Action Account. Unfortunately, you were too busy being excited about what was cool about MOM 2005 to be paying attention to something as petty as security. Now that it's set, you're not sure what it does or what security it actually requires. In fact, you're not even sure where to change the account MOM uses. Being the imperturbable administrator, you simply panic.

In all seriousness, the Action Account has various functions, many very integral to some of the tasks MOM 2005 performs. In this age of IT, a focus on security can be tantamount to the completion of the project. Take some time to read through some of the benefits of Action Account and how best to implement it in your environment.

Benefits of an Action Account:

• Runs computer discovery and tasks issued from the MOM console.
• Performs agent push-installations (similar to SMS 2003 Client Push Installation account).
• Executes uninstallations and settings updates for agent-managed computers.
• Runs responses and scripts on agent-managed computers (including the Management Server).
• Manages actions on agentless and agent-managed computers.
• Collects data from agentless and agent-managed computers.
• Communicates with agentless and agent-managed computers.

To perform some of the tasks listed above, the Action Account will need administrative privileges to MOM agents. Any agent running Windows 2003 can use a combination of a low-rights domain account with special privileges (aside from general push installations, which can be done through other methods). You can even use different Action Accounts for each agent; however, this may be a daunting task to maintain properly. More details on the exact permissions required for the Action Account on the management server, as well as MOM agents, can be found in the MOM 2005 Security Guide.

Administering the Action Account:
There are two ways you can administer the Action Account after it has been established during installation. The first is inside the MOM 2005 Administrator Console under Administration / Computers / Agent-managed Computers. If you're interested in establishing per agent Action Accounts, this is where to do it. (Keep in mind that while you can change the Action Accounts on agent-managed computers through this method, the Management Server Action Account must be administered through the second method.)

• Navigate to Agent-managed computers.
• Highlight the agents (some or all) for which you will be changing the Action Account.
• Right-click on the highlighted selection. Choose All Tasks > Update Agent Settings.
• Specify to use the default Management Server Action Account or specify an Action Account specific for the agent (or group of agents).

The second method is through the SetActionAccount.exe tool located under %Program Files\%Microsoft Operations Manager 2005 directory. This is a command-line tool that only accepts two switches -- making it very easy to use. Running either command requires prefacing the command switch with the Configuration Group name. All changes to the MOM Action Account, must be followed by a restart of the MOM service on the Management Server for changes to become effective. Usage, example and output listed respectively:

SetActionAccount.exe [Configuration Group Name] -query
Issuing this command returns the current account information.

Ex: SetAcctionAccount.exe MOM2005POC -query

Providers and responses run as MOMDomain\MyMOMActionAccount

SetActionAccount.exe [Configuration Group Name] -set
[Domain]
[UserName]
Issuing this command starts a password dialog which will reset the Action Account on completion.

Ex: SetActionAccount.exe MOM2005POC -set
MOMDomain MyMOMActionAccount
(notice no backslash between domain and username)
Enter password : (input text is hidden)
Re-enter password : (input text is hidden)
Action account set.

For more information:
MOM 2005 Security Guide -- online documentation
http://www.microsoft.com/technet/prodtechnol/mom/mom2005/secguide.mspx MOM 2005 Security Guide -- document download
http://www.microsoft.com/downloads/details.aspx?familyid=812b3089-18fe-42ff-bc1e-d181ccfe5dcf&displaylang=en

ABOUT THE AUTHOR: Marcus Oh works for Cox Communications, Inc. in Alpharetta, GA., deploying MOM for 250+ servers, rolling out SMS 2003 and Windows 2003, and supporting the company's directory services infrastructure.

This article first appeared in myITforum, the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems. The centerpiece of myITforum.com is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget network of Web sites. To register for the site and sign up for the myITforum daily newsletter, click here.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft System Center Backup and recovery for System Center Operations Manager 2007 Data Protection Manager 2007: Relief from branch office backup headaches Key enhancements to SCCM give admins more control over assets, licensing The new Microsoft System Center: What happened to SMS and MOM? System Center Configuration Manager 2007: A first look Redeploy application to client machines using SMS Microsoft offers beefed-up backup beta Windows Management Guides for Systems Administrators Microsoft System Center Data Protection Manager Fast Guide Server plays key role in Data Protection Manager deployment Windows Systems Management and Administration Tips for Windows domain controller optimization Quick hits: Troubleshooting service account failure, batch job execution Case Study: Troubleshooting Windows service dependency failures Troubleshooting common Windows service failures How to format NTFS: More tricks to improve file system performance Key enhancements to SCCM give admins more control over assets, licensing Windows scripting secrets for disk quota management Optimizing NTFS file system performance The new Microsoft System Center: What happened to SMS and MOM? New Russinovich tool scans for open file references from command line RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Microsoft System Center  (SearchWindowsServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.