Menu Close

SCOM 2019 Security Account Matrix

Below you will find a security account matrix for SCOM 2019, that includes all the common service and security accounts in SCOM, and their default or recommended permissions.  This includes the management servers, the database servers, SQL Role permissions, and database mappings.  You can use this to correct deployments where permissions got modified incorrectly, or to verify that a least privileged model is being used.

Download:  https://kevinholman.com/files/SCOM2019_Security_Matrix.xls

Example:

image

 

This matrix is for SCOM 2019.  For SCOM 2016, please see:  https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix/

 

 

 

 

 

 

8 Comments

    • Kevin Holman

      No. SCOM 2016 link is provided above. 1807 should really not be in use anymore, as it was semi-annual channel and expired…. but I’d probably just use the 2016 permissions example for that.

  1. Brian Wright

    I don’t think this is entirely accurate, it appears that the MS action account’s permissions on the MS, also need to be applied to gateway servers from which you point the targets before discovery (as well as ‘verify computers can be contacted’ checked. At least that’s the only way I’ve been able to push to servers in different forests than where my SCOM infrastructure is.

  2. David Kim

    For SCOM 2019. Just confirming. In the matrix “DAS account (sdk/config)” account does this refer to System Center Configuration Service and System Center Access Service? Also for SQL database mappings what does MSDB stand for?,… is this created by default during the install of SCOM 2019 and what does what kind of information does this database store?,…is this a type of system database in SCOM SQL? Do you happen to know the permission changes on the GateWay Server?

  3. David Kim

    For SCOM 2019 management console (Administration>Run As Configuration) “run as profile” and “run as a accounts”. Is run as profile designed to provide permissions to MP(management packs) when created. The run as a accounts provide the permission that run as profiles require? All this is required for providing the MPs permissions to applt rules within SCOM and it’s targets? What kind of permissions is require for the Agent Action account on the target machines and it this done using the MP?,… this is for Agent to be installed and functioning on the target machine.

  4. David Kim

    Just wanting to clarify my understanding of gMSA for use with SCOM 2019 if one were to create gMSA(group managed service accounts). When creating gMSA do we just install as individual accounts then replace those with similar permission with a gMSA that meets the permissions requirements. When replacing the original account with a gMSA account how are permissions determined for the gMSA?,… is the gMSA object in AD provided with the appropriate permissions here? Password(password = KDS root key which exists in root domain) for gMSA(in child domain) is created automatically during its creation which changes at a specified time interval?

  5. David Kim

    Just wanting to clarify my understanding of gMSA for use with SCOM 2019 if one were to create gMSA(group managed service accounts). When creating gMSA do we just install as individual accounts then replace those with similar permission with a gMSA that meets the permissions requirements. When replacing the original account with a gMSA account how are permissions determined for the gMSA?,… is the gMSA object in AD provided with the appropriate permissions here? Password(password = KDS root key which exists in root domain) for gMSA(in child domain) is created automatically during its creation which changes at a specified time interval? If gMSAs were to be created for SCOM 2019 were to be created would the following make sense based upon the SCOM 2019 matrix above:
    gMSASQL – all SQL servers given admin permission by add to their local users group. SQL DB (Ops DB, DataWare DB, Reports DB) use the above matrix permissions set on the SQL instance/database. MSDB stores what information and is it created automatically SQL installation(just confirming)?
    gMSAManagementServers – this account includes all Management Servers in the local users group. At the AD object level gMSAManagementServers permission are log on as Service.
    gMSA_DASAccount(SDK_Config) – accounts (System Center Configuration Service and System Center Data Access Service) are added to local users group on all Management Servers. gMSA_DASAccount(SDK_Config) at the AD object level is provided with permission are provided with log on as a service.
    gMSAManagementServeActionAccount – this account is in the the local users group for all Management Servers. Log on as service configured on its AD object gMSAManagementServeActionAccount.
    gMSASCOMInstallAccount – this user account used for the install of SCOM should be in the local admin group of all SCOM servers to include SQL server. This gMSA would stay enabled until we installed a GateWay server at a later time then this gMSA would be disabled in AD. Do you recommend keeping this gMSA enabled instead of disabling it after the SCOM installation is completed?

Leave a Reply

Your email address will not be published. Required fields are marked *