In this blog, I will explain:
I will start with a scenario and then I will explain how the Run As Account and Run As Profile will fit into the scenario.
“I have got a request from my SQL Team to monitor the SQL application. They have also provided me with a domain account domain\sqlsvc which has sys admin rights on all the SQL instances in my organization and local administrators on all SQL nodes. Now my task is to import the SQL management packs and make sure we use the SQL domain account to monitor the SQL application”
What is SCOM Run As Profile?
Any workflow in SCOM may be a rule, monitor, discovery, task etc. is defined in a Management Pack. When you define a workflow you can configure what Run As Profile to use when that workflow will run in the target. Let us take a simple example.
<UnitMonitor ID=”Unit.Monitor.SQL.Demo” Accessibility=”Internal” Enabled=”true” Target=”Windows!Microsoft.Windows.Computer” ParentMonitorID=”Health!System.Health.AvailabilityState” Remotable=”true” Priority=”Normal” TypeID=”Custom.MyPSTransactionMonitorType.UnitMonitorType” ConfirmDelivery=”false” RunAs=”SQL_RunAsProfile”>
The above configuration means that whenever the unit monitor ”Unit.Monitor.SQL.Demo” will run, it will use the Run As Profile “SQL_RunAsProfile”.
What is SCOM Run As Account?
A SCOM Run As Account will store an account name and password. Then it can be distributed either to all the agents in the Management Group using ‘Less Secure‘ option or to some selected agents using ‘More Secure’ option.
SCOM Run As Accounts are used to associate in Run As Profile so that workflows can under a specific account rather than the agent default action account (which we will discuss soon).
As we have a fair bit of understanding of SCOM Run As Profile and Account, coming back to our scenario, these are the steps I will have to follow to accomplish my task:
How to create a SCOM Run As Profile?
The Run As Profile will be created by the Management Pack Author and will be visible under the tab Administration -> Run As Configuration -> Profiles as soon as you import the Management Pack.
How to create a SCOM Run As Account?
Distribute the SCOM Run As Account
Associate Run as Account to Run As Profile
What will happen if you do not associate Run As Account in Run As Profile
Many a times we import Management Packs and everything gets discovered, monitored without any configuration of Run As Account and Profiles. Do not be surprised 🙂
SCOM is designed in such a way that it will try to make things work for you as much as possible. But how?
If a SCOM Run As Profile is defined but not associated, then the workflow will run with the ‘Agent Default Action Account’. The agent default action account is the account specified during the time of agent installation. The sole purpose of this account is to run workflows for which either there is no Run As Profile or there is no association inside the Run As Profile.
In our example, if we leave the ‘SQL Run As Profile’ association as blank then the SQL workflows will run under the SQL agents default action account.
Typically, most customers use the ‘Local System’ account as the agent default action account because it has all the rights to access the operating system resource like registries, WMI etc. Additionally, a domain account can also be used. I can think of situation where the local system account is locked down in a secure environment.
How to find the agent default action account?
Using console
Navigate to Administration -> Agent Managed -> Search for the agent -> Look for the column ‘Action Account’
Using PowerShell
#for all the agents get-scomagent | select name,actionaccountidentity #for a single agent get-scomagent | where {$_.Name -eq 'Test.pop1.lab'} | select name,actionaccountidentity
What best practices to follow?
Take Away
Hope you now have a better understanding of SCOM Run As Account and Profile.
Thanks!!
Explore, Learn, Share, Repeat!
This is a single list of all the supported UNIX/LINUX Operating System in SCOM. (more…)
Release!! SCOM 2019 UR4 and SCOM 2022 onwards support Rocky Linux 8 monitoring. In this…
Release!! SCOM 2019 UR4 and SCOM 2022 onwards support Alma Linux 8 monitoring. In this…
“A picture is worth a hundreds words” : News!! News!! SCOM 2019 UR3 supports Ubuntu20.04/Debian10/Debian…
System Center Operations Manager UNIX/LINUX (SCX) Agent Version List (more…)
Continuing from Part 1 where I explained how to dual home SCOM UNIX/LINUX agents (the…