The System Center Operations Manager agent uses the Run As Profile that is named Privileged Monitoring Account to process Health Service configuration. By default, the Privileged Monitoring Account profile uses the Local System account.
When you configure the agent to use a domain user as the Default Action Account on a domain controller, the Health Service Lockdown Tool (HSLockdown.exe) is automatically run at installation. The Health Service Lockdown Tool denies Health Service access to the NT AUTHORITY\SYSTEM security principal.
In this scenario, only the NT AUTHORITY\Authenticated Users security principal is allowed access to the Health Service. But when the Active Directory is hardened, or the agent is misconfigured, the Local System account cannot authenticate through the Authenticated Users security principal, therefore the agent cannot process Health Service configuration information.
Method 1: Configure the Privileged Monitoring Account profileConfigure the Privileged Monitoring Account profile to use a domain user who has administrative rights on the affected domain controllers. To do this, follow these steps:
- Open the SCOM Console, and then click Administration.
- Under Security, right-click Run As Accounts, and then click Create Run As Account. This starts the Create Run As Account Wizard.
- Select Windows in the Run As Account type box. Enter a display name, and then click Next.
- Enter the user name and the password for an account that is a member of the Administrators group on the domain controller, and then click Create.
- After the Run As Account is created, open the Run As Profiles view, and double-click Privileged Monitoring Account.
- Click the Run As Accounts tab.
- Click New.
- Click the Run As Account that you created in step 2 through step 4.
- Click the domain controller in the list of computers, and then click OK.
- Repeat step 7 through step 9 for each affected domain controller.
- Click OK in the Run As Profile Properties dialog box.
- Restart the OpsMgr Health Service on the affected domain controllers.
Method 2: Run HSLockdown.exe to configure permissionsRun HSLockdown.exe on the affected domain controllers to remove NT Authority\SYSTEM from the Denied list. To do this, follow these steps:
- On the domain controller, open a command prompt, and then open the folder where the agent software is installed.
- Type the following command, and then press ENTER:hslockdown "Management_Group _Name" /R "NT AUTHORITY\SYSTEM"In this command, Management_Group _Name is the name of the Operations Manager 2007 management group of which the agent is a member. Use quotation marks if the name contains spaces.
- Restart the OpsMgr Health Service.
- Repeat step 1 through step 3 on each domain controller that is affected.
מזהה פריט: 946428 - סקירה אחרונה: 19 באפר׳ 2012 - תיקון: 1