Share via

SCOM 2007 R2: Change password of service accounts

  • Article

 

Scope

SCOM Admins who do not want to compromise with the security of System Center Operations Manager 2007 R2 account. 

Taken into consideration the five SCOM accounts which are Action, Data reader, Data writer, SCOM installation and SDK and Config account. I am writing about the manual process to change the password.

 

Considerations

  1. ACS/Gateway is not installed.
  2.  RMS is not hosted on a windows clustered box.
  3.  Do not need to turn the RMS and SCOM DB/DW off. 
  4.  SQL SP2/SP3 installed.
  5.  CU6 or above is installed.
  6.  SQL DB/ DB DW and other databases like temp, reports DB is present in the same SQL instance.
  7.  Backup the SNT Encryption key of reporting through SQL server reporting manager.

 

Preparations

  1. Make sure that we have most recent SCOM DB and DB DW backup.
  2.  SDK Encryption Key backup.
  3.  All unsealed MP backup. 

 

Steps Involved

Password change

A. AD

1- Make sure that the account's password for all five accounts is changed through Active Directory first.

B. RMS

2- Login to the RMS box and navigate to the services panel--->Search the SDK service from sevices.msc panel--->right click on the service---> Log on--->change the password from here. 

C. Configuration service and OpsMgr VSS Writer Service

The same way change the password of Configuration service and OpsMgr VSS Writer Service.   

3- Navigate to the SCOM Administration pane--->Navigate to Accounts--->Manually change the password of all the default action accounts and all other accounts which are present in the accounts section.

4- Login to all the MS boxes one by one--->navigate to services.msc panel--->Search OpsMgr VSS Writer Service--->right click on the service---> Log on--->change the password from here. 

D. SCOM DB/DB DW

5- Login to the SCOM DB/DW box--->Search the SQL services which are configured with the SCOM accounts especially with the Data Reader, Data writer and SCOM installation account--->right click on the services one by one---->Log on---->change the password from here.  [SQL Server service, SQL server agent service, SQL Reporting service, SQL Integration etc. ]

E. SQL Server

6- Access the SQL Server configuration manager--->SQL Server Services--->double click on the SQL services one by one---->Right Click and properties and change the password. [Whichever SCOM accounts you have used to configure, all of them can be changed from here]

P.S.: Once you change the password from configuration manager, no need to change the same in the services.msc panel. However, to be very sure, I have changed from services.msc panel as mentioned in point 4.

Errors

Sometimes there could be issues in accessing the SQL server configuration manager as it could throw WMI related error while trying to access. It would be a MOF file issue.

 

Error looks like: 

Canot connect to WMI provider, You do not have permission or the server is unreachable. Note that you can only manage SQL Server 2005 and later servers with SQL Server COnfiguration manager.

Invalid Class[0x80041010]

You need to modify the MOF file using the below command.

Run the command prompt as Run as Administrator and Paste the first command.

If still the same issue Paste the second and check

If still the same issue reboot the server and check.

a.  mofcomp "C:\Program Files\Microsoft SQL Server\100\Shared\sqlmgmproviderxpsp2up.mof"

or

b. mofcomp "C:\Program Files (X86)\Microsoft SQL Server\100\Shared\sqlmgmproviderxpsp2up.mof"

Reporting Service

Most important part is left yet, reporting service, lets get the ball rolling :)

Changing the password in SQL server configuration manager, but inside SQL server services, there won't be any way out to change the password of reporting service. For that, one needs to login to the SQL server reporting manager.

 Access the SQL server Reporting manager--->Login to the reporting manager--->Change the password of execution account.

 

Navigate to Database tab of SQL server reporting manager and change the DB first and create another DB, after which change it again to retain the original reporting DB.

Change Database--->Create new report server DB [Do not go for existing DB]--->provide a temporary name to the report server DB in native mode--->Provide the changed credentials of SCOM Data reader account--->finish

 Once again go to Database tab--->use existing DB---> Use the original report DB name---> provide the credentials--->finish

Necessary Checks

Navigate to the Monitoring pane--->windows computers view--->find the RMS and MS one by one and check the health explorer view of the RMS/MS.

Check for any errors/warning in the rules/monitors, if any. Sometimes, the database connectivity shows in warning state, but that would happen only for 15-30 mins. It happens due to the connectivity issue/sync issue between RMS and DB but that would automatically get healthy within 30 mins.

Navigate to the active alerts and check for any alerts related to SCOM RMS, MS or SCOM DB/ DB DW.

Navigate to SCOM operations console administration pane--->Check the health state of the MS and RMS after 15 mins from SCOM operations console.

Additionally, check for the following events in the operations manager log of RMS/MS:

Event id - 7025 - The Health Service has authorized all configured RunAs accounts to execute for management group XXXXXXXX.

Event id - 7026  -The Health Service successfully logged on the RunAs account "Your action account"T for management group XXXXX

Event id - 7026  -The Health Service successfully logged on the RunAs account "Your data reader account"T for management group XXXXX

Event id - 7026  -The Health Service successfully logged on the RunAs account "Your data writer account"T for management group XXXXX 

Password change activity finished properly. 

 

Credits

Thanks to Gautam.75801 for the help on some parts.