MOM 2005: The Action Account (or better yet ... The Action Account?!)

Marcus Oh, Contributor, myITforum.com

During the installation of MOM 2005, you established an Action Account. Unfortunately, you were too busy being excited about what was cool about MOM 2005 to be paying attention to something as petty as security. Now that it's set, you're not sure what it does or what security it actually requires. In fact, you're not even sure where to change the account MOM uses. Being the imperturbable administrator, you simply panic.

In all seriousness, the Action Account has various functions, many very integral to some of the tasks MOM 2005 performs. In this age of IT, a focus on security can be tantamount to the completion of the project. Take some time to read through some of the benefits of Action Account and how best to implement it in your environment.

Benefits of an Action Account:

  • Runs computer discovery and tasks issued from the MOM console.
  • Performs agent push-installations (similar to SMS 2003 Client Push Installation account).
  • Executes uninstallations and settings updates for agent-managed computers.
  • Runs responses and scripts on agent-managed computers (including the Management Server).
  • Manages actions on agentless and agent-managed computers.
  • Collects data from agentless and agent-managed computers.
  • Communicates with agentless and agent-managed computers.

To perform some of the tasks listed above, the Action Account will need administrative privileges to MOM agents. Any agent running Windows 2003 can use

Requires Free Membership to View

a combination of a low-rights domain account with special privileges (aside from general push installations, which can be done through other methods). You can even use different Action Accounts for each agent; however, this may be a daunting task to maintain properly. More details on the exact permissions required for the Action Account on the management server, as well as MOM agents, can be found in the MOM 2005 Security Guide.

Administering the Action Account:
There are two ways you can administer the Action Account after it has been established during installation. The first is inside the MOM 2005 Administrator Console under Administration / Computers / Agent-managed Computers. If you're interested in establishing per agent Action Accounts, this is where to do it. (Keep in mind that while you can change the Action Accounts on agent-managed computers through this method, the Management Server Action Account must be administered through the second method.)

  • Navigate to Agent-managed computers.
  • Highlight the agents (some or all) for which you will be changing the Action Account.
  • Right-click on the highlighted selection. Choose All Tasks > Update Agent Settings.
  • Specify to use the default Management Server Action Account or specify an Action Account specific for the agent (or group of agents).

The second method is through the SetActionAccount.exe tool located under %Program Files\%Microsoft Operations Manager 2005 directory. This is a command-line tool that only accepts two switches -- making it very easy to use. Running either command requires prefacing the command switch with the Configuration Group name. All changes to the MOM Action Account, must be followed by a restart of the MOM service on the Management Server for changes to become effective. Usage, example and output listed respectively:

SetActionAccount.exe [Configuration Group Name] -query
Issuing this command returns the current account information.

Ex: SetAcctionAccount.exe MOM2005POC -query

Providers and responses run as MOMDomain\MyMOMActionAccount

SetActionAccount.exe [Configuration Group Name] -set
Issuing this command starts a password dialog which will reset the Action Account on completion.

Ex: SetActionAccount.exe MOM2005POC -set
MOMDomain MyMOMActionAccount
(notice no backslash between domain and username)
Enter password : (input text is hidden)
Re-enter password : (input text is hidden)
Action account set.

For more information:
MOM 2005 Security Guide -- online documentation
http://www.microsoft.com/technet/prodtechnol/mom/mom2005/secguide.mspx MOM 2005 Security Guide -- document download

ABOUT THE AUTHOR: Marcus Oh works for Cox Communications, Inc. in Alpharetta, GA., deploying MOM for 250+ servers, rolling out SMS 2003 and Windows 2003, and supporting the company's directory services infrastructure.

This article first appeared in myITforum, the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems. The centerpiece of myITforum.com is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget network of Web sites. To register for the site and sign up for the myITforum daily newsletter, click here.

This was first published in September 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.