Configuring Run As Accounts and Profiles in OpsMgr – A SQL Management Pack Example
<!--[if lt IE 9]>
<![endif]-->
Comments
Anonymous
January 01, 2003
I have learned a lot from you!
Thanks!Anonymous
January 01, 2003
Hi Kevin, I am running SCOM 2007 R2 with SQL 2000/05/08 MPs deployed, and I am experiencing an issue where SCOM is only discovering half of my SQL virtual instance. For excample, I have a 2 node physical SQL cluster running six virtual SQL instance (i.e. vsqla; vsqlb; vsqlc; vsqld; vsqle; vsqlf) and when I go to the Discovered Inventory view and search for theseinstances I only find vsqla/b/e. >All instances are running under the same SQL service domainaccount >SCOM SQL Run-As profile is configured to use the default account (SCOM admin account) which is part of the local admin group of this cluster, I even granted this ID domain admin rights but that didn't do anything. >SCOM agent is installed on both nodes and the PROXY setting is set to enable >If I look under "Agentless Managed" I only see the said three virtual instance Any idea what I am missing hereor have you seen something like this before with SQL Management Pack? Thanks is advance. MuradAnonymous
January 01, 2003
Hi Kevin - I have maybe a little bit different problem. I would like to configure a custom RunAs profile for agent installation, and use a RunAs account associated with it. The reason for this is I'm an admin for SCOM, but not domain admin, and our domain security policy has things pretty tightly locked down. There is an installation account configured with Local Admin rights on the servers, and we are using a domain user service account for the agent action account. All the documentation I've found says the agent installation is only able to be performed by the Managemnt Server action account, or an optional account that doesn't save credentials. Is there any way around this that you know of?Anonymous
January 01, 2003
@Vivak - Since your SQL server is ON the RMS.... this wont use Local System. This will use the Management Server Action Account as the default action account for all monitoring workflows. Therefore - your MSAA needs the rights to SQL.... OR you need to set up the Run-As account and profile to be used by the SQL MP for the RMS.- Anonymous
May 22, 2017
Hi Kevin, I have just started with SCOM . Could you please suggest me some links/docs that starts with scratch for beginners. Thanks
- Anonymous
Anonymous
January 01, 2003
Thx Kevin for the detailed explanation.Anonymous
January 01, 2003
Kevin, I am using the 2nd option for my SQL MP "Scenario #2. You use a Domain User account as the default action account. This account is a member of the Local Administrators group on the server OS. This domain user account has been delegated “SA” rights in SQL explicitly, or via group membership. In this case – the default agent action account has full rights to the Operating System and to SQL. No other configuration or use of Run-As accounts is necessary. The SQL MP will discover and monitor the SQL instances. (Hint – you might consider just using this special account as the default agent action account ONLY for your SQL servers). This is more secure than scenario #1 above, but is more difficult to manage in some cases" I've verified each instance has "local administrator" "SA" right , but I am still having issues discovery all virtual instances. Anything else I can look at to see whySCOM is unable to see all VSQLs in a two node cluster? Thanks, MuradAnonymous
January 01, 2003
Cannot be resolved generally means you did not distribute the run-as account to that particular health service.Anonymous
January 01, 2003
Yes - that will be a soon to come post - I am going to get some assistance and figure out a good way to handle dynamic run as account distribution using the SDK - since the UI leaves a lot to be desired. Stay tuned.Anonymous
January 01, 2003
@Murad Discovery is pretty basic.... you dont need a lot of rights to discover the items. Are you discovering some, or none of the virtuals? Do the virtual instances show up in the Windows Computer and Windows Server class by name? Have you enabled Agent proxy for all cluster nodes, and have an agent on all nodes in the cluster? Bounce the agent health service. Wait 5 minutes. Are there any discovery errors or 10801 or 33333 events on the agent OpsMgr event log, or the Management server it is assigned to?Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Look in your event logs on the nodes - you will see discovery errors, or - look on the management server event logs that the agents report to - you will see 10801/33333 events about failing to insert discovery data. Next - your account being a domain admin is irrellevant (and should NEVER be used). What is relevant - is doe the account be used for discovery (default agent action account) have enough rights on the machine to be able to discover the instance..... if some are discovering but not others on the same node - then look at the differences in SQL INSTANCE security. Last - if the events seen on the agent are timeouts for discovery - increase the timeout via override.Anonymous
January 01, 2003
@Udit -
What monitor or rule specifically do you feel is not working? There is no monitor for a decommissioned DB.Anonymous
January 01, 2003
Hi Graham - I didnt. I started to... got some SDK code in C#, but what I really want is for this to be included in the product, or it to be portable to PS script.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
@John -
I am actually working on that this week - there are three blog posts floating around out there with examples, I am going to try and build out a comprehensive post which covers all of them.Anonymous
January 01, 2003
"Wed, Sep 8 2010 4:56 PM: Yes - that will be a soon to come post - I am going to get some assistance and figure out a good way to handle dynamic run as account distribution using the SDK - since the UI leaves a lot to be desired. Stay tuned."
any update on that dynamic run as account distribution? adding each sql server manually is an absolutely fantastic solution in a lab with a half-dozen machines. adding each sql server manually in a production environment is, in a word, ridiculous.Anonymous
September 10, 2010
Automatic distribution would indeed be great. Right now I've got a series of PS scripts that ops can run as a task to map the various RunAs profiles for SQL. It helps some, but is only as good as the underlying process. Nice detailed explanation, Kevin.Anonymous
September 20, 2010
i'm still puzzled why a domain account with local admin rights and sa rights is generally considered more secure than the system account (scenario 1 vs 2 in your post). it seems to me the domain account has extra rights in the domain whereas the system account can't go beyond the local system. But i guess that's a bit off topic to the blogpost :)Anonymous
October 05, 2010
Thanks for another great article Kevin - I have notied that this rule also fires an alert against the SQL Server if the SQL Server hosts databases that are set to auto-close. Workaround of creating a group of databases and over-riding the rule (enable = false) for the group seems to work.Anonymous
October 06, 2010
I am trying to figure out how to modify a runas accounts distribution list using the SDK. Do you have any idea which class, property or methods to use ? The class MonitoringSecureData represents the runas account, but I can't find anything about distribution list or less/more secure. Thanks, JanAnonymous
November 12, 2010
Very helpfull! thanks...Anonymous
February 07, 2011
Dear Kevin, Fantastic explaination Here is my issue: I have implemented Scenario #1. You use Local System as the default agent action account. SQL 2008 SCOM 2007 R2 , The OPSMGR DB is on the RMS itself I was getting alert based on follwoing rule : Run As Account does not exist on the target system or does not have enough permissions After checked i saw Local System ahs SA rights on DB instanctance Still i got the same alert for all the DB's I checked the Action Accounts Listed in Console and saw 2 action accounts ,
- Local System Action Account
- Managemnet Server action account that was created during setup As checked the Management server action account doesnt have SA privilages , it just has Public rights on the DB I gave it SA rights and the event which caused the alert stopped. Any reason why that must have to be done ?
Anonymous
February 25, 2011
Hi Kevin Did you ever get a chance to look at this in more depth? "Yes - that will be a soon to come post - I am going to get some assistance and figure out a good way to handle dynamic run as account distribution using the SDK - since the UI leaves a lot to be desired. Stay tuned. " Cheers GrahamAnonymous
December 09, 2011
I went through your directions.. Now I just got dozens of alerts saying "An account specified in the Run As profile "Microsoft.SQLServer.SQLDefaultAccount" cannot be resolved." What is causing that?Anonymous
December 12, 2011
And how do I distribute it?Anonymous
March 28, 2012
You wrote: "Our goal is to make the initial discoveries – which target the “Windows Server” class, run under the default agent action account. THEN – ALL subsequent discoveries should run under the SQL Discovery Profile/Run As account. Therefore – we should add the “SQL DB Engine” class." Most of my sql servers can be monitored using the default action account (local system), but I have some sql servers that need to be monitored using another account (domain account). How do I target this runas account? I can not use the SQL DB Engine class because then all sql servers will use this run as account. Regards, Chris- Anonymous
May 31, 2016
Hi Murad.. I Have the same scenario.. Did you find out anything more regarding this. In advance thank you. Regard Nicklas
- Anonymous
Anonymous
February 19, 2013
Hi Kevin, thanks for this information. My concern is if you are using the Local System account for the “Default Agent Action Account”, what would stop someone from making the agent run scripts that could potentally do damage to the system?Anonymous
April 19, 2013
The comment has been removedAnonymous
July 29, 2013
Great and very interesting blog. I think it’s also an informative. Thanks for sharing.Anonymous
October 11, 2013
Please, also remember that, as stated by the MP documentation, the use of run as profiles - Low Privilege Environment - is not supported in clustered environment. By the way : why isn't it supported ?Anonymous
November 27, 2013
Kevin, Awesome post! I am almost ashamed I have only recently been able to implement RunAs for SQL in our environment. But I do not understand why RunAs setup seems to double the work. Distributing the creds to certain systems from the account, then setting up the profile to apply the account to those same systems seems duplicitous. I do not understand but am glad it works to optimize our monitoring capabilities. We are in a decentralized environment where SQL team is not responsible for every SQL server in our enterprise, distribution of specific RunAs creds to specific SQL servers. I was able to point the profile config to a group but you can't push RunAs account creds to a group. But one of the options for adding systems to RunAs cred distribution is 'Show suggested computers'. I picked that and hit Search and the agents for each of the systems from the group were listed. A quick way to add all the correct agents to get those creds! Thanks very much!Anonymous
February 12, 2014
Hi Kevin, Do you have any update about a way to do a dynamic run as account distribution. Thanks so much in advanceAnonymous
March 31, 2014
Hi Kevin, I have SCOM 2007 R2 in my environment & I am using a SQL Action account as specified above for the SQL monitoring. I have noticed that we are not getting any alerts from the DB, we tested this by decommissiong the DB also, but no alert from the host server on SCOM. We feel, there is no monitoring happening for the SQL DB. How can I troubleshoot this issue?Anonymous
May 30, 2014
Pingback from SCOM QUICK Install | config.reAnonymous
June 16, 2014
The comment has been removedAnonymous
October 02, 2014
Hi Kevin!
Very good explanation!!!! I'm already making use of scenarios in my LAB.Anonymous
November 13, 2014
One of the best explanation on Run As Account & Profile. I was struggling to understand the concept for a while as, I am new to OM. Now, I understood what it mean and how to relate to profile. Thank you very much.Anonymous
January 13, 2015
Hi Kevin,
It means that SCOM MP only discover and monitor SQL Servers and MP doesn't change and modyfying any settings data in SQL?
Thank you!Anonymous
May 11, 2015
I wrote a post explaining Run As accounts a while back here: http://blogs.technet.com/b/kevinholman/archiveAnonymous
June 08, 2015
Kevin,
First I would like to thank you for one of the best explanations on how to implement this.
Second, I see that if my SQL Server has the proxy checked I get "An account specified in the Run As profile "Microsoft.SQLServer.SQLDiscoveryAccount" cannot be resolved." error on machines that look to that SQL Server. So if I add these servers to the Distribution list under the Account it goes away. Is this right?
Again Thank you
David D.Anonymous
June 08, 2015
@David -
1. I don't think this has anything to do with whether proxy is enabled or not. I turn proxy on as a default setting so all new agents inherit proxy enabled, for EVERYONE. Dealing with that setting is pointless IMHO.http://blogs.technet.com/b/kevinholman/archive/2014/02/11/opsmgr-2012-enable-agent-proxy-on-all-agents.aspx
2. Whenever a profile associates an account to a class hosted by an agent - you will see these "cannot be resolve" errors, which simply means the RunAs account has not been distributed yet. Distributing the account will resolve those. For automation - see:http://blogs.technet.com/b/kevinholman/archive/2015/05/03/automating-run-as-account-distribution.aspxAnonymous
October 29, 2015
Hi Kevin,
I get "An account specified in the Run As profile "Microsoft.SQLServer.SQLDiscoveryAccount" cannot be resolved." error on machines that look to that SQL Server. The error still even after I distributed the Run As accounts to all the computers where the error is thrown.
Any idea?Anonymous
October 29, 2015
@Srini -
Cannot be resolved will be expected on machines that either are not distributed, or are not in a trusted domain.Anonymous
October 30, 2015
Thanks for the reply Kevin. But I have distributed the accounts to this server by editing the distribution list manually still the error persists. The server is also in the same domain as the Management servers. Really strange. Infact this appears on all the SQL servers though the account has been distributed to all of them.
Any other reason?Anonymous
November 13, 2015
Hi Kevin. quick help needed please. I am installing SCOM2012R2 and just configured the first management server. However I am getting the below error and MS is showing in greyed out state:
“The Health Service could not log on the RunAs account (database read account) for management group (SCOMMG) because it has not been granted the "Allow log on locally" right.”
Not sure why it is asking Read account to have log on access locally but still I added that account as administrator on MS, Operation DB server and DWH and checked local profile setting that it allows administrators to logon locally. But no help. Could you please suggest a solution here.Anonymous
November 13, 2015
@ Avijit -
The Datawarehouse Read account opens up a process on all management servers to run operations associated with the DW. This account should be granted local administrator on the SCOM management servers. This is documented in our deployment guide. To make things simple, I recommend having a global group for SCOM admins, and add all the service accounts to this. This use this group as member of each SCOM server's local administrators group, and as a SCOM Administrator role. If you are still getting failed to log on locally, then this account is NOT a local administrator, or your organization has implemented explicity policies for log on locally and it must be added there as well as an advanced user right.Anonymous
February 15, 2016
I an a SQl DBA got an alert on daily basis on different servers"Run As Account does not exist on the target system or does not have enough permissionst".So my question is what things i have to check on server to resolve this and how can i resolve this issue.Anonymous
April 05, 2016
Excellent explanation. I did not understand that RunAs Profiles in essence are optional, as long as the Default Action Account for that particular server/service has the necessary permissions.- Anonymous
April 06, 2016
that's a bingo
- Anonymous
Anonymous
August 07, 2016
Hi Kevin,Hope you are doing good.Is there any powershell commandlet or SQL Query to pull the list of Rules which are associated / mapped to a specific Run as Profile ?I have a SQL Query which can give the output for Monitors, But was not able to find one for Runes.select distinctmanagementpackview.Name as 'Management Pack Name',monitorname as 'Monitor Name',SecureReferenceView.displayname as 'RunasProfile Name'from dbo.Monitor inner join SecureReferenceView on monitor.runas = SecureReferenceView.idinner join managementpackview on managementpackview.id = SecureReferenceView.ManagementPackIdwhere SecureReferenceView.displayname like '%YOUR RUNAS PROFILE NAME%'Most of this information is provided in the Management pack Guide, But incase if we do not have a guide or lost it then it will be useful so asked,Anonymous
November 18, 2016
Are groups consisting of windows computer objects sufficient when associating the always on discovery and monitoring profiles?Should I be including availability groups?- Anonymous
November 18, 2016
Yes - they are - because Windows Computer objects contain all the other hosted instances on the agents.
- Anonymous
Anonymous
December 19, 2016
Hi Kevin ,I have SCOM 2012 R2 UR9 running in my environment.SQL 2008,2012,2014,2016 are runningHave created the Accounts and Distributed it to the SQL Servers.(Accounts have admin level access to Servers and Sysadmin level access to SQL)Have Associated the Accounts with the below Classes and groups in the profilesClass::SQL Server 2*** AgentSQL Server 2*** Agent JobSQL Server 2*** DBSQL Server 2*** DB EngineGroup::SQL Server 2*** DB Engine GroupIn many Servers i get this below error for profiles"Microsoft.SQLServer.SQLDiscoveryAccountMicrosoft.SQLServer.SQLProbeAccount "Log Name: Operations ManagerSource: HealthServiceDate: 12/19/2016 12:03:37 AMEvent ID: 1108Task Category: NoneLevel: ErrorKeywords: ClassicUser: N/AComputer: Description:An Account specified in the Run As Profile "Microsoft.SQLServer.SQLProbeAccount" cannot be resolved. Specifically, the account is used in the Secure Reference Override "SecureOverride7abf93bb_3f52_39b9_1229_9233b8a1b14c". This condition may have occurred because the Account is not configured to be distributed to this computer. To resolve this problem, you need to open the Run As Profile specified below, locate the Account entry as specified by its SSID, and either choose to distribute the Account to this computer if appropriate, or change the setting in the Profile so that the target object does not use the specified Account. Management Group: Run As Profile: Microsoft.SQLServer.SQLProbeAccount SecureReferenceOverride name: SecureOverride7abf93bb_3f52_39b9_1229_9233b8a1b14c SecureReferenceOverride ID: {F7391A0D-BBDB-AFAC-5FDD-665FA0228630} Object name: MsDtsServer110 Object ID: {B8568913-7DD5-79D0-8660-EA20A2623BF9} Account SSID: 00F665CC36675DFA25A72DA4777F6273E2AED2E2B400000000000000000000000000000000000000What could be the reason.?how to fix the same?- Anonymous
December 20, 2016
@Dinesh kumarAccount not resolved simply means it is not distributed.Why not skip all this and use Service SID's?- Anonymous
December 22, 2016
Hi Kevin ,Saw your Run as Account Addendum Management Pack.Champion Idea.There are more than 800 DB servers running with Profile/Run as Account/distribution setup in my environment.How can i implement SSID method , Without any impact to SQL monitoringAny thoughts?
- Anonymous
- Anonymous
Anonymous
February 06, 2017
The comment has been removedAnonymous
February 19, 2017
Hi Kevin,I have stared working on SCOM 2012 SP1 and I am geeing maximum alert regarding "RUN AS ACCOUNT" issue. i have run a query on operation Shell "cannot bind parameter'Process'. Cannot convert the "Domain\Account name" value of type "System.String" to type "System.Management.Automation.Scrpitblock".So please let me know what should i need to do in this scenario.Anonymous
February 19, 2017
Hi kevin,I have started working on SCOM SP1. And i am getting maximum error of "RUN AS ACCOUNT". And i run a script on operation manger shell. And i got something like that. there are many account on which i found this error."cannot bind parameter'Process'. Cannot convert the "Domain\Account name" value of type "System.String" to type "System.Management.Automation.Scrpitblock".Please let me know what should i need to do in this scenario. Thanks,GouravAnonymous
March 29, 2017
Hi Kevin, I working on an MP form Netapp. I got 4 groups with run as account used in the discovery DS. This is an sample from the Mp Discovery $MPElement$ $MPElement[Name="DataONTAP.Cluster.AdminVserversGroup"]$ $MPElement[Name="DataONTAP.Cluster.AdminVserver"]$ $MPElement[Name="SCIG!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$ The group was not populate. If i build a custom group with same without the runas It's working. I am not sure to understang why they used a runas in a group discovery. I try to distribute the runas on my RMS it's working. Can you Explain pls- Anonymous
March 29, 2017
Sorry Bad Copy paste. Discovery $MPElement$ $MPElement[Name="DataONTAP.Cluster.AdminVserversGroup"]$ $MPElement[Name="DataONTAP.Cluster.AdminVserver"]$ $MPElement[Name="SCIG!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$
- Anonymous
Anonymous
August 30, 2017
Hi Kevin,I have upgraded SCOM 2012 R2 to UR12 yesterday in our production environment. I have observed the below alerts in all SQL Agent servers (1000 servers). Password for this account is never expires option selected. I re-entered the password in Run as account but still the problem persists. Can you help me with this.Description: The password for RunAs account Domain\SQLAccount for management group MG is expiring on Thursday, January 01, 1970. If the password is not updated by then, the health service will not be able to monitor or perform actions using this RunAs account. There are 0 days left before expiration. Thanks,Ramu ChittiproluAnonymous
October 03, 2018
Thanks! Kevin