MOM 2005 Accounts: What are they, what they do, and what permissions do they need?
We’ve seen and run into quite a bit of confusion about the different security accounts that exist in MOM 2005. Specifically what accounts exist for MOM, what they do, and what permissions do they need to do it. The following is an attempt to provide a summary of this information based upon our own experiences. For Microsoft’s best practices you can refer to the Microsoft MOM security guide which is available at: http://go.microsoft.com/fwlink/?linkid=33035.
Most of the debate revolves around the Action accounts that are used within MOM. The recommended approach is to use Local System (the Network Service on Windows 2003 is recommended over Local System) to provide the required functionality. The MOM Agent Action accounts should be run as Network Service unless the account cannot effectively be given the permissions it requires based on management packs deployed to that system. As an example, the SQL Server management pack requires access to various databases which will not be available unless the Local System/Network Service account is given permission to those databases. We can think of more than one organization which was not comfortable with a system account having that level of permissions into their databases.
The following is a summary of the security accounts in MOM, what they do, and the recommended permissions. Basically you have to have an account with permissions to deploy the agents (the Management Server Action account is recommended) and one which will have access rights to the MOM databases (the MOM DAS account). For more detailed information on these, our upcoming MOM 2005 Unleashed book provides quite a bit more than what is listed below.
• Management Server Service account (the MOM Service account)
• Management Server Action account
• MOM DAS account
• MOM Reporting account
• MOM Agent Action account(s)
• These can exist on a per-managed server basis• In some cases using a specific account is preferable to provide permissions required for the management pack(s) such as the SQL Server Management Pack (organizations not wanting to give SQL rights to Local System), or the Active Directory Management Pack.
• MOM Agent Service Action account(s)
*On Windows 2000 Server, the Action account must be a member of the local Administrators group. On Windows Server 2003, you can use a low-privileged account for the agent’s Action account under certain circumstances (see Microsoft’s MOM 2005 Security Guide for more information).