Wednesday 30 May 2012

System Center 2012 Service Accounts & Permissions

Following on from my first post which set the scene for what I was trying to achieve with my new test environment (Dubbed the Customer Experience Center within Trustmarque!) I promised a post capturing some of the information you might find yourself needing when setting up an environment.

In this post I thought I would provide some information around the requirements for some of the accounts System Center 2012 requires when installing and some of the immediate accounts for the base configuration.

I think that all this information is already out there, but this post helps to pull it all into one central location and hopefully easier to digest.

All this information is of course assuming that you:
  1. Have already drawn up a design for your System Center 2012 Infrastructure with considerations to components, layout, performance sizing etc...
  2. You already have all your base VM's and SQL installs done.
  3. All Pre-reqs are installed.
  4. You know how to install the System Center 2012 Components. 
If you need more information on points 3 & 4 then a further post is coming listing lots of install guides and powershell scripts to install the pre-requisites.

Couple of tips first though:

Tip # 1 - Ensure the account used during install has rights to create databases on the SQL instance(s)/server(s) you specify during installation and can add security rights etc. Easiest option is to give the account SQL SysAdmin privileges and then look to revoke later.

Tip #2 - While using the Local System or Network Service option for the accounts is the easiest, I would personally only recommend this for lab/test environments.

Tip #3 - Again, using the same account over and over is easiest, but from a security and also risk mitigation perspective, separate accounts is what I recommend.  For example, using one account for all services possibly across multiple products would mean more than one system would fail if this account became locked out.

Tip #4 - If using (and it's recommended) domain accounts for the SQL services, don't forget to ensure the SPN's are registered for them.

Tip #5 - Staying on SPN's, ensure the data access service accounts get their SPN's registered

Tip #6 - Rule of least privileges.  It's always tempting just to drop the accounts into either the local admins group, sysadmin or heaven forbid the domain admins group.  Hopefully this information will help with only assigning the accounts the least amount of privileges they require which will always be best practise.

Below are a series of tables with example account names, their purpose and the permissions they require.
I've used the domain of TrustLab in this example so all accounts are in the format of <DomainName>\<AccountName>
Like I say, these are examples only, use your own naming conventions for service accounts.




Virtual Machine Manager Accounts
http://technet.microsoft.com/en-us/library/gg697600.aspx

Account ExamplesPurposePermissions
TrustLab\SCVMMSA SCVMM Service Account Local Admin rights on VMM Server
TrustLab\SCVMMHVHost Adding Hyper-V hosts to VMM Local Admin rights on target Hyper-V server.
TrustLab\SCVMMOMCon SCVMM to SCOM connector account SCOM Administrator Role
SCVMM Administrator Role
TrustLab\DomJoin Domain Joining Account used in templates for VM Deployment Do not grant the account interactive logon rights.
Use Delegate Control in AD:
Computer Objects -
Reset Password
Validated write to DNS host name
Validated write to service principal name
Read/Write Account Restrictions

This object and all descendant objects -
Create/Delete Computer Objects


Configuration Manager Accounts
http://technet.microsoft.com/en-us/library/hh427337

Account ExamplesPurposePermissions
TrustLab\SCCMNA SCCM Network Access Account Requires "Access this computer from the network" right on the Distribution Points.
Minimum rights to access content on the Distribution Points.
TrustLab\DomJoin Domain Joining Account used within task sequences to join the OS to the domain. Do not grant the account interactive logon rights.
Use Delegate Control in AD:
Computer Objects -
Reset Password
Validated write to DNS host name
Validated write to service principal name
Read/Write Account Restrictions

This object and all descendant objects -
Create/Delete Computer Objects
TrustLab\SCCMCP SCCM Client Push Account Do not grant the account interactive logon rights.
Must be local admin on the target devices you push clients to.
TrustLab\SCCMRA SCCM Reporting Service Point Account Account is granted rights if chosen as a new account during Reporting Point creation from the console.

N.B. There are FAR too many accounts to realistically list for ConfigMgr, please refer to the link above for a full breakdown.  Listed are the most common ones needed for the base install.


Operations Manager Service Accounts
http://technet.microsoft.com/en-us/library/hh298609.aspx

Account ExamplesPurposePermissions
TrustLab\SCOMAA SCOM Action Account Local Admin (NOT Domain Admin)
TrustLab\SCOMDA SCOM Data Access Account Local Admin
TrustLab\SCOMDR SCOM Data Warehouse Read Account Setup assigns Read to DW DB.
Best Practice to ensure account has SQL Logon rights before installation
TrustLab\SCOMDW SCOM Data Warehouse Write Account Setup assigns Read to Operational DB, Write to DW DB.
Best Practice to ensure account has SQL Logon rights before installation

N.B. Always use the same Action Account & Data Access Account for each Management Server you deploy.
N.B. This list does not cover RunAs accounts for management packs such as the SQL or AD MP's.  Please refer to the applicable guide for the management pack for details/requirements.


Service Manager Service Accounts
http://technet.microsoft.com/en-US/library/hh495662.aspx

Account ExamplesPurposePermissions
TrustLab\SCSM Admins
(This is a group not an account)
Management group administrators Account used to run setup must be able to add users to this group as it will try to auto add the user to it.
TrustLab\SCSMSA SCSM Service Account Local Admin on SCSM Server(s)
Must be same account for DW & MS Servers.
TrustLab\SCSMRA SCSM Reporting Account Nothing specific, will be granted rights in SQL during install.
TrustLab\SCSMAS SCSM Analysis Services Account Nothing specific, will be granted rights in SQL during install.
TrustLab\SCSMWF SCSM Workflow Account Normal User permissions, but must have mailbox and send permissions for notifications.
Manually add account to Service Manager Administrators after install if not present.

N.B. I haven't listed the accounts here that are used for setting up SharePoint which will be needed when installing SharePoint dedicated for the Self Service Portal as I am not a SharePoint expert and would recommend seeking dedicated SharePoint best practise advice for that.



Service Manager Connector Accounts

Account ExamplesPurposePermissions
TrustLab\ SCSMADCON Active Directory Connector Account AD Read
Advanced Operator in Service Manager
TrustLab\SCSMOMCICON SCOM CI Connector Account Operations Manager - Operator Privileges
Service Manager -Advanced Operator
TrustLab\SCSMOMALCON SCOM Alert Connector Account Operations Manager - Administrator
Service Manager -Advanced Operator
TrustLab\SCSMCMCON SCCM Connector Account SCCM SQL DB -smsdbrole_extract & db_datareader roles
Service Manager -Advanced Operator
TrustLab\SCSMSCOCON SCORCH Connector Account Read Properties, List Contents and Publish permissions to the root Runbook folder and all child objects. Grant via the Runbook Designer.
TrustLab\SCSMVMMCON SCVMM Connector Account SCVMM Administrator
Local Admin on VMM Server
Service Manager -Advanced Operator

Orchestrator Service Accounts
http://technet.microsoft.com/en-us/library/hh912319.aspx

Account Examples PurposePermission
TrustLab\SCORCHSA Orchestrator Management Service Recommended to be a domain account. No special permissions required other those that the installer assigns during installation.
TrustLab\SCORCHSA Orchestrator Runbook Service Recommended to be a domain account so that if Runbooks require access to remote resources, rights can be granted to this account.
TrustLab\SCORCHSA Orchestrator Runbook Server Monitor service Same account used as Orchestrator Management Service and same rights required.

N.B. As is common with most deployments of Orchestrator, if you install the Management Server and Runbook Server components at the same time on the same server they will both use the same service account.
N.B. To deploy an IP to Runbook Designer, ensure the account running the Deployment Manager has local admin rights on the target otherwise you will get Access Denied.


Part 2 - Service Accounts & Permissions

Part 3 - Installation Guide Links
Part 4 - Partner Solutions & Extensions

33 comments:

accounts receivable factoring company  said...

Hey thanks for this tips. It really a big for me.

Anonymous said...

I noticed this post was done in May - any chance there is a more updated version??
-Jon @ human services software

Anonymous said...

Thanks for sharing such valuable information.. I am very lucky to get this tips from you.
Accounting Services

Anonymous said...

Great stuff. Very helpful. I only found that the Service Manager accounts are named *SCOM* instead of *SCSM*.

Steve Beaumont said...

Whoops! You're right, I'll change that now, good spot ;)

Unknown said...

Thanks for your very helpful post but for SCSM 2012 you do not speak about the account requested for exchange connector and its rights?
Do you know that they are ?

weitj said...

too many account need to create,the minimum is?

Unknown said...

I notice on the SCOM accounts it just says 'local admin' - it is assumed that this means local admin on all managed machines? not just the mgmt console...

Steve Beaumont said...

Your correct Adam, local admin on the management servers for SCOM

Unknown said...

Thanks you for sharing sir Smashlagu

Unknown said...

Thanks you for sharing sir Smashlagu

Anonymous said...

Thanks for the Article, it's very useful.

But I have one "stupid" question, How do I achieve the goal "Do not grant the account interactive logon rights."??

Thanks

Anonymous said...

Nice Blog Post !

Oliver Maurice said...
This comment has been removed by the author.
Oliver Maurice said...

You can use some of these applications to hack someone's phone, like flexispy for example

Malaivel Siddha Hospital said...

Thanks for sharing...
Very good Keep it up.


jenifferleio12 said...

The information you shared was useful. You have brought up a very wonderful points , regards for the post.
hp printer support | brother printer support

Fainahassan said...

With the passes of time and increase in technology, printers are becoming one of the common equipments which are used for both commercially as well as residentially. The good thing is that whenever users get into any problem, the team of Brother printer support always stand beside the users, no matter whatever be the issue.

Fahim said...

Thank you very much for putting this together.

Przemek said...

Gilotyna
Lutownica transformatorowa
Adwokat Łódź
Gilotyna
Taxi Zgierz
Mediator Łódź

burkkevin said...

I read this article. I think You put a lot of effort to create this article. I appreciate your work. NCR Ranger Coat

liza martinee said...

Without activating the Microsoft Office setup, it is not possible to access its features. For activating Office, you need to follow these steps. Use any of the posted activation processes and activate your MS Office product on the computer. Just follow each and every given step at office.com/setup and apply them on your computer without skipping

OGEN Infosystem (P) Limited said...

I’m really impressed with this valuable blog. Visit Ogen Infosystem best Website Designing and Development Services at best price.
Best Website Designing Company in Delhi

Sofia Jone said...

Microsoft is a very huge software company i like its work Avengers Infinity War Tony Stark Cotton Hoodie

Vietnam Airline said...

Aivivu đại lý vé máy bay

ve may bay tet gia re 2021

vé máy bay đi Mỹ giá bao nhiêu

vé máy bay đi Pháp khứ hồi

kinh nghiệm đặt vé máy bay đi hàn quốc

vé máy bay giá rẻ ở nhật

lịch trình bay từ việt nam sang Anh

mua vé máy bay giá rẻ ở đâu

Stan Sidler said...

It will be the best tip for me if you make youtube video how to use it. From here https://soclikes.com/buy-youtube-views you can get youtube views for your video or I can get it for you, just make video, please

John said...

آرش

ساسی مانکن

پویان مختاری



ve may bay tet said...

Aivivu chuyên vé máy bay, tham khảo

vé máy bay đi Mỹ giá rẻ 2021

vé máy bay eva từ mỹ về việt nam

ve may bay di Los Angeles

đăng ký bay từ canada về Việt Nam

jhonny said...

so nice blog i like it so much thanks to share this informative blog with us. Yellowstone S03 Beth Dutton Blue Coat

Anonymous said...

Amazing Blog Thanks For sharing The Gentlemen Coach Tracksuit

best quality of SEO Submission sites list said...

Free India Video Sharing Sites List is the very best method you can upload your ads cost-free right here and also get instant web traffic to enhance your website position.

Raj Sinha said...

You’re so interesting! I don’t believe I’ve truly read something like this before. So great to find someone with genuine thoughts on this issue. Really.. many thanks for starting this up. This website is something that’s needed on the internet, someone with some originality!

CBSE Schools In Srikakulam
CBSE Schools In Tirupati
CBSE Schools In Vijayawada
CBSE Schools In Visakhapatnam
CBSE Schools In Vizianagaram
CBSE Schools In West Godavari
CBSE Schools In Hyderabad
CBSE Schools In Adilabad
CBSE Schools In Ameenpur
CBSE Schools In Ameerpet

Roman James said...

Do you want to make video about it? I often make detailed video and publish it on instagram. Sometimes I buy instagram views for my video. You can do the same. It helps to promote the content.