In Operations Manager 2007, agents use the agent action account as the default set of credentials for running rules, tasks, monitors, and discoveries on the computer on which the agents are installed. In some cases, this account may not have the necessary rights to successfully complete the operation. In this case, the rules, tasks, monitors, and discoveries can be written by the management pack author to use a Run As profile at run time. The Run As profile provides the necessary information to the System Center Management service so that it can successfully run the rule, task, monitor, or discovery.
Run As profiles are defined in management packs by the management pack author. In some cases, the Run As profile is imported into Operations Manager when the management pack that contains it is imported. In other cases, you may need to create it manually. In all cases, Run As profiles must be configured manually. The procedure How to Create and Configure a Run As Profile in Operations Manager 2007 tells you how to manually create and configure a custom Run As profile.
- Run As account – A Run As account consists of
a three parts. First, a single set of credentials which are stored
in the Operations Manager 2007 operations database. Second,
the Run As account has a security classification (which is either
more or less secure) for the credentials that can be used to
control how the credentials are distributed for use. Finally, if
you elect to treat the credential distribution in a more secure
manner, you will have to configure the mapping of which computers
the credentials are to be distributed to.
- Run As profile – A Run As profile is used
wherever its parent management pack is active. For example, the SQL
Server 2005 management pack contains the SQL Run As profile,
so the SQL Run As profile would be active on all servers running
SQL Server 2005 that are monitored by the SQL Server 2005
management pack. The Run As profile is an association of one or
more Run As accounts and the managed objects that the Run As
accounts should be applied to.
Understanding Distribution and Targeting
Run As account distribution and Run As account targeting are two different things, both of which must be correctly configured for the Run As profile to work properly.
When you configure a Run As profile, you select the Run As accounts you want to associate with the Run As profile. When you create that association you can then specify which class, group, or object the Run As account is to be used for running tasks, rules, monitors, and discoveries against.
Distribution is an attribute of a Run As account and in it you can specify which computers will receive the Run As account credentials. You can choose to distribute the Run As account credentials to every agent-managed computer or only to selected computers.
Example of Run As account targeting: Physical computer ABC hosts two instances of Microsoft SQL Server, instance X and instance Y. Each instance uses a different set of credentials for the sa account. You create a Run As account with the sa credentials for instance X, and a different Run As account with the sa credentials for instance Y. When you configure the SQL Server Run As profile, you associate both Run As account credentials for instance X and Y with the profile and specify that the Run As account instance X credentials are to be used for SQL Server instance X and that the Run As account Y credentials are to be used for SQL Server instance Y. Then, you must also configure each set of Run As account credentials to be distributed to physical computer ABC.
Example of Run As account distribution: SQL Server1 and SQL Server2 are two different physical computers. SQL Server1 uses the UserName1 and Password1 set of credentials for the SQL sa account. SQL Server2 uses the UserName2 and Password2 set of credentials for the SQL sa account. The SQL management pack has a single SQL Run As profile that is used for all SQL Servers. You can then define one Run As account for UserName1 set of credentials and another Run As account for the UserName2 set of credentials. Both of these Run As accounts can be associated with the one SQL Server Run As profile and can be configured to be distributed to the appropriate computers. That is, UserName1 is distributed to SQL Server1 and UserName2 is distributed to SQL Server2. Account information sent between the management server and the designated computer is encrypted.
Run As Account Security
Operations Manager 2007 distributes the Run As account credentials to either all agent-managed computers (the less secure option) or only to computers that you specify (the more secure option). If Operations Manager automatically distributed the Runs As account according to discovery a security risk would be introduced into your environment as illustrated in the following example. This is why an automatic distribution option was not included in Operations Manager.
For example, Operations Manager 2007 identifies a computer as hosting SQL Server 2005 based on the presence of a registry key. It is possible to create that same registry key on a computer that is not actually running an instance of SQL Server 2005. If Operations Manager were to automatically distribute the credentials to all agent managed computers that have been identified as SQL Server 2005 computers, then the credentials would be sent to the imposter SQL Server and they would be available to someone with administrator rights on that server.
When you create a Run As account, you are prompted to choose whether the Run As account should be treated in a Less secure or More secure fashion. More secure means that when you associate the Run As account with a Run As Profile, you have to provide the specific computer names that you want the Run As credentials distributed to. By positively identifying the destination computers, you can prevent the spoofing scenario that was described before. If you choose the less secure option, you will not have to provide any specific computers and the credentials will be distributed to all agent-managed computers.
|The credentials you select for the Run As account must have logon-locally rights otherwise the module will fail.|
Did you find this information useful? Please send your suggestions and comments about the documentation.