The Operations Manager agent runs on each computer that Operations Manager monitors. To view the computer groups that the Configuration Manager 2007 Management Pack monitors, see the Computer Groups for the Configuration Manager 2007 Management Pack section in this guide. The Operations Manager 2007 agent collects monitoring data on the managed computer, applies rules to the collected data, and then sends the resulting data to the Data Consolidator Agent Manager (DCAM). Monitoring functionality on an agent computer is provided by the Operations Manager 2007 Service (HealthService.exe), Operations Manager 2007 Host (MonitoringHost.exe), and the Agent Action Account.
To deploy the Operations Manager 2007 agent, you can use the Operations Manager 2007 installation wizard or Configuration Manager software distribution. For details on deploying the Operations Manager 2007 agent and using the Operations Manager 2007 installation wizard, see “Discovering Computers and Deploying Operations Manager Agents” in the Microsoft Operations Manager 2007 Deployment Guide. For more information, see the Operations Manager 2007 Web page (http://go.microsoft.com/fwlink/?LinkID=83259).
 Note |
|---|
| It is recommended that you run the Operations Manager 2007 agent on the Configuration Manager Provider computers by using the LocalSystem account or an account with sufficient rights to access the Configuration Manager WMI namespaces root, root\cimv2, root\sms, and the SMS registry key and subkeys. |
To determine whether agentless monitoring can be used in your environment, see "Agentless Monitoring Support" in Management Pack Monitoring Scenarios for Configuration Manager 2007.
Defining the SMS Environment Variable to Support Log-Based Rules
A number of rules in the Configuration Manager Management Pack read Configuration Manager-based log files to check for errors.
The following rules under ConfigMgr Site Servers - Common are based on the sender.log, distmgr.log, and policypv.log files, respectively:
- ConfigMgr 2007 Component: The sender cannot
connect to remote site over the LAN (Standard Security)
- ConfigMgr 2007 Component: The sender cannot
connect to remote site over the RAS connection
- ConfigMgr 2007 Component: The sender cannot
connect to remote site over the LAN (Advanced Security)
- ConfigMgr 2007 Component: Distribution
Manager failed to process a package
- ConfigMgr 2007 Component: Distribution
Manager failed to insert an SMS Package because SDM Type Content is
not present in the CI_Contents table
- ConfigMgr 2007 Component: Policy Provider
failed to get new software update policies from the SMS Site
Database
- ConfigMgr 2007 Component: Policy Provider
failed to create new software update policy
- ConfigMgr 2007 Component: Policy Provider
failed to get new compliance policies from the SMS Site
Database
- ConfigMgr 2007 Component: Policy Provider
failed to create new compliance policy
- ConfigMgr 2007 Component: Policy Provider
failed to notify Hierarchy Manager of a policy change
In order to monitor these logs, the location of the Configuration Manager installation folder must be specified. To do so, create the %SMS_INSTALL_DIR_PATH% system environment variable on a site server so that the MOM Agent running under Local System or a local administrator user context has access to the log files in the %SMS_INSTALL_DIR_PATH%\Logs directory. For more information about setting system environment variables, see the system environment variable Web page (http://go.microsoft.com/fwlink/?LinkId=92316).
In order for the Operations Manager Health Agent to use this system environment variable, the Configuration Manager Site Server may need to be restarted.
Configuring Agent Computers to Run in Low-Privilege Scenarios
Monitoring functionality on an agent computer is provided by the Operations Manager 2007 Service (HealthService.exe), Operations Manager 2007 Host (MonitoringHost.exe), and the Agent Action Account. On Microsoft Windows® 2000, the Action Account must be a member of the local administrators group. On Microsoft Windows™ 2003, you can use a low-privileged account for the agent’s Agent Action Account under certain circumstances. However, configuring the Action Account and the user context that the Operations Manager 2007 Service and Operations Manager 2007 Host process run under with the necessary rights and permissions to run the Configuration Manager 2007 Management Pack features requires significant manual configuration on the agent computer. On Microsoft Windows Server™ 2003, the Agent Action Account must have the following minimum user rights and permissions:
- Member of the Local Users group
- Access to Windows Event Logs
- Manage auditing and security log permission
(SeSecurityPrivilege)
- Generate security audits permission
(SeAuditPrivilege)
- Allow log on locally permission
(SeInteractiveLogonRight)
In a low-privileged scenario, the Configuration Manager 2007 Management Pack requires that the account used for the Agent Action Account have additional rights and permissions. The following table details the access rights that must be configured manually.
Access Types Required By the Configuration Manager 2007 Management Pack
|
Resource |
Access Type |
Instructions |
|
Windows Event Log |
Read |
The Action Account must be given the Manage auditing and security log privilege using Local or Global Policy. |
|
SMS registry keys |
Read |
HKLM\Software\Microsoft\SMS Add the Action Account to the registry properties and provide read access that is inherited by all subkeys. |
|
Win32 Services registry keys |
Read |
HKLM\System\CurrentControlSet\Services Add Action Account to the local users group. |
|
Script generated temp files |
Read and Write |
The path specified by the TMP variable for the Action Agent. For Local System this is %Windir%\Temp Add the Action Account to the local users group. |
|
SMS log files |
Read |
<ConfigMgrInstallFolder> \Logs Add the Action Account to the folder properties. |
|
WMI namespaces |
Read |
root and root\cimv2 No action should be required. |
|
SMS WMI namespaces |
Read |
No action should be required. |
|
SMS WMI classes |
Read |
SMS_Site SMS_R_System SMS_SiteControlFile SMS_ProviderLocation SMS_SCI_SiteDefinition SMS_SystemResourceList SMS_SystemResourceList SMS_SiteSystemSummarizer Add the Action Account to the class for all instances |
|
Security login rights to the default instance |
Grant access |
For the default instance on a managed SQL Server computer, the Action Account must be given Grant access rights for security logins. In SQL Server Enterprise Manager, add the Action Account to the following node: instancename\Security\Logins. |
|
Access to the Master database on the default instance (required to identify the SMS Site database) |
Permit |
For the default instance on a managed SQL Server computer, the Action Account must be given permit access to the Master database. In SQL Server Enterprise Manager, add the Action Account to the following node: instancename\Databases\Master\Users. Keep all default permissions associated with this new user. |
|
Access to the SMS Site database on the default instance |
Permit |
For the default instance on a managed SQL Server computer, the
Action Account must be given permit access to the SMS Site
database. In SQL Server Enterprise Manager, add the Action Account
to the following node: instancename\Databases\< Keep all default permissions associated with this new user. |
See Also
Concepts
Customizing the Configuration Manager 2007 Management PackGetting Started with the Configuration Manager 2007 Management Pack
Known Issues for the Configuration Manager 2007 Management Pack
Testing the Configuration Manager 2007 Management Pack