Hello, We are trying to discover SharePoint farm and servers in the SCOM 2007 R2. We have deployed the agents, install the MPs, edit the .Config, etc. We have read a lot of posts related, including: http://blogs.technet.com/b/operationsmgr/archive/2011/03/10/tips-on-using-the-sharepoint-2010-management-pack-for-opsmgr-2007.aspx http://blogs.technet.com/b/meamcs/archive/2011/09/15/configuring-microsoft-sharepoint-2010-management-pack-for-system-center-operations-manager-2007.aspx The summary is: ===== First off, the initial discovery appears to need the FarmAdmin installation account in order to discover more than one SharePoint Farm. The following permissions are needed to get this working correctly: local admin on all SP2010 Front End and Application servers local admin on all SQL boxes that host SharePoint 2010 Databases dbo for the actual SharePoint databases full farm admin rights within SharePoint 2010 ===== Note: the Run As account must have sufficient privilege to allow discovery and monitoring to run. We recommend using the account which is a member of the Farm Administrator SharePoint group and is a member of the Administrators group on the database server hosting the SharePoint farm databases and access to all SharePoint databases. Usually the account used to run SharePoint 2010 Product Configuration Wizard has the required privileges. ===== We are getting the 7002 event: "The Health Service could not log on the RunAs account ... because it has not been granted the 'Log On Locally' right." We could create an account granting all the above permissions so it worked fine, but it seems too much. So we have some questions that maybe you could kindly answer if you have already fought against these issues :-) 1. Are these permissions just needed for the discovery or are they already needed for daily monitoring run? (I mean, maybe we could grant all the permissions for the discovery and let the account with minumum permissions for running) 2. Why does it need "Log On Locally" right for? 3. Why does it need farm admin and dbo rights? Couldnt it work with less permissions? What does it do with them? We are encouraged to grant the very lesser permissions needed. Thank you in advance. Best regards.

Hello Juan, Actually, in most MP that "log on locally" permissions are required for both discovery and monitoring. I think you will need to keep granting this permission for the RunAs account. For further information, you can refer to the OpsMgr Security guide has links for reading online or downloading it at http://technet.microsoft.com/en-us/opsmgr/bb498235.aspx. Thanks,Yog Li TechNet Community Support

Hello Juan, Actually, in most MP that "log on locally" permissions are required for both discovery and monitoring. I think you will need to keep granting this permission for the RunAs account. For further information, you can refer to the OpsMgr Security guide has links for reading online or downloading it at http://technet.microsoft.com/en-us/opsmgr/bb498235.aspx. Thanks,Yog Li TechNet Community Support

Thank you, Yog. You seem to be right and I think we'll have to grant "log on locally" right. Do you know anything about farm and dbo rights? Thank you in advance. Best regards.

Thank you, Yog. You seem to be right and I think we'll have to grant "log on locally" right. Do you know anything about farm and dbo rights? Thank you in advance. Best regards.

Your research is correct, all of those permissions as well as 'log on locally' are necessary to discover and monitor the farm(s). I've had many customers question the need for log on locally permissions for the SharePoint MP (as well as a number of others). I have yet to find a SharePoint admin that doesn't strongly oppose granting this level of permission just to monitor. Does anyone have a good explanation of why the SharePoint MP requires such excessive permissions, or why "log on locally" is required in so many cases?SCCM\SCOM Aficionado

Your research is correct, all of those permissions as well as 'log on locally' are necessary to discover and monitor the farm(s). I've had many customers question the need for log on locally permissions for the SharePoint MP (as well as a number of others). I have yet to find a SharePoint admin that doesn't strongly oppose granting this level of permission just to monitor. Does anyone have a good explanation of why the SharePoint MP requires such excessive permissions, or why "log on locally" is required in so many cases?SCCM\SCOM Aficionado

Thank you, Yog.

Thank you, Will.

Thank you, Yog.

Thank you, Will.