Hi, I have been trying to solve the below mentioned problem and have made little progress so far. I have not solved the problem. Can somebody please tell me if i am heading the right direction? or if somebody knows the way to do it or know the right sources to refer to, please guide me. PROBLEM STATEMENT AND SOLUTION: _______________________________ Problem Statement: Currently, the administrators in our company connect to client computers using their hidden shares. This compromises the security. Specially, the top management don't want any administrator to just access any hidden/default shares in their computers and thus see their files/folders. However, now a new problem arises that is: SCOM 2007 R2 will not be able to access the client computers to collect the monitoring data. I need to figure out all the management packs, if any, their RUN AS PROFILES & ACCOUNTS. SCOM 2007 R2 uses several accounts to collect such data. Details of these accounts (opsmgr2007_security.doc) can be found in the source mentioned in this research: Solution: So far I think I should approach the problem in the following way: I need to first find that MonitoringHost.exe process that is running on client computers on behalf of SCOM 2007 R2,as RUN AS ACCOUNT, that collects all this monitoring data for SCOM, uses a separate/unique "run as" account other than administrator's and it should be present in all client computers. This account's password should only be known to one guy so that other IT Admins. can't use this account to enter into client computers to access hidden shares. This unique run as account should be studied and experimented well before deployment like may be some change are required in AD, SCOM, or SQL (the database SCOM uses) etc. HIDDEN SHARES SOLUTION USING AD and GPO: ________________________________________ This can easily be done adding or changing a key (if it does not exists) in this location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters The key that needs to be added will be named: AutoShareWks and its value should be set as "0" (Decimal) This can be achieved using GPO or ADM files in atleast two ways: 1. This key can be applied to either all client computers in the domain by creating a custom unique GPO.ADM file and linking it with all Client Computers OU. 2. Create a unique custom group policy and apply it to all administrator accounts. SCOM 2007 R2 SOLUTION APPROACH REFERENCES: __________________________________________ However, now a new problem arises that is: SCOM 2007 R2 will not be able to access the client computers to collect the monitoring data. I need to figure out all the management packs, if any, their RUN AS PROFILES & ACCOUNTS. SCOM 2007 R2 uses several accounts to collect such data. Details of these accounts (opsmgr2007_security.doc) can be found in the following sources: http://www.google.com/url?sa=t&source=web&cd=2&ved=0CBkQFjAB&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F7%2F4%2Fd%2F74deff5e-449f-4a6b-91dd-ffbc117869a2%2Fopsmgr2007_security.doc&rct=j&q=Operations%20Manager%202007%20Security%20Guide&ei=fpQ6TZOXBNT24QaE6O2vCg&usg=AFQjCNHEqrmozojCIyoi1YVKD_C_NxlkUw&sig2=mxlXQCbjXmDV2D8TaTFHdg&cad=rja Run As Profiles AND Accounts: _____________________________ SOURCE: (http://technet.microsoft.com/en-us/library/cc974491.aspx http://technet.microsoft.com/en-us/library/bb735424.aspx http://technet.microsoft.com/en-us/library/bb735423.aspx very imp.--> http://technet.microsoft.com/en-us/library/bb735419.aspx) What Is an Action Account? __________________________ The various Operations Manager 2007 server roles, root management server, management server, gateway server, and agent, all contain a process called MonitoringHost.exe. MonitoringHost.exe is what each server role uses to accomplish monitoring activities, such as executing a monitor or running a task. For example, when an agent subscribes to the event log to read events, it is the MonitoringHost.exe process that runs those activities. The account that a MonitoringHost.exe process runs as is called the action account. The action account for the MonitoringHost.exe process running on an agent is called the agent action account. The action account used by the MonitoringHost.exe process on a management server is called the management server action account. The action account used by the MonitoringHost.exe process on a gateway server is called the gateway server action account. On computers running Windows Server 2003, Windows Server 2003 R2, and the Windows Vista operating system, the default action account must have the following minimum privileges: * Member of the local Users group * Member of the local Performance Monitor Users group * Allow log-on-locally permission (SetInteractiveLogonRight) The minimum privileges described above are the lowest privileges that Operations Manager 2007 supports for the action account. Other Run As Accounts can have lower privileges. The actual privileges required for the Run As Accounts depend upon which management packs are running on the computer and how they are configured. For more information about which specific privileges are required, see the appropriate management pack guide. Keep the following points in mind when choosing credentials for the action account: * A low-privileged account can be used only on computers running Windows Server 2003, Windows Server 2003 R2, and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System. * A low-privileged account is all that is necessary for agents that are used to monitor domain controllers. * Using a domain account requires password updating consistent with your password expiration policies. * You must stop and then start System Center Management service if the action account has been configured to use a low-privilege account and the low-privilege account was added to the required groups while the System Center Management service was running. Managing Action Account Credentials: ____________________________________ For the account you choose, Operations Manager will determine what the password expiration date is and generate an alert 14 days before the account expires. When you change the password in Active Directory, you can change the password for the action account in Operations Manager on the Account tab on the Run As Account Properties page. For more information about managing the action account credentials, see How to Change the Credentials for the Action Account in Operations Manager (http://go.microsoft.com/fwlink/?LinkId=88304). You can use a Windows PowerShell script, set-ActionAccount.ps1, to set the action account on multiple computers. For more information see the SC Ops Mgr 2007 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=92596). The script allows you to set the action account on all of the computers defined in a computer group. See How to Set the Action Account on Multiple Computers in Operations Manager 2007 in the Security Guide. Notification Action Account: ____________________________ The Notification Action Account is a Run As Account that is created by the user to configure notifications. This is the action account that is used for creating and sending notifications. Ensure that the credentials you use for this account have sufficient rights for the SMTP server, instant messaging server, or SIP server that you will use for notifications. If you change the password for the credentials you entered for the Notification Action Account, you will need to make the same password changes for the Run As Account. Problem if our company is running one or more Management Packs: _______________________________________________________________ A management pack can include one or more Run As profiles. Run As profiles and Run As accounts are used to select users with the privileges needed for running rules, tasks, and monitors. Management pack authors can create a Run As profile and associate the profile with one or more rules, monitors, tasks, or discoveries. The named Run As profile is imported along with the management pack into Operations Manager 2007. The Operations Manager 2007 administrator then creates a named Run As account and specifies users and groups. The administrator adds the Run As account to the Run As profile and specifies the target computers that the account should run on. The Run As account provides the credentials for running the rules, monitors, tasks, and discoveries that are associated with the Run As profile to which the Run As account belongs. Please help me figure out the solution. Thanks,

Hi, I have been trying to solve the below mentioned problem and have made little progress so far. I have not solved the problem. Can somebody please tell me if i am heading the right direction? or if somebody knows the way to do it or know the right sources to refer to, please guide me. PROBLEM STATEMENT AND SOLUTION: _______________________________ Problem Statement: Currently, the administrators in our company connect to client computers using their hidden shares. This compromises the security. Specially, the top management don't want any administrator to just access any hidden/default shares in their computers and thus see their files/folders. However, now a new problem arises that is: SCOM 2007 R2 will not be able to access the client computers to collect the monitoring data. I need to figure out all the management packs, if any, their RUN AS PROFILES & ACCOUNTS. SCOM 2007 R2 uses several accounts to collect such data. Details of these accounts (opsmgr2007_security.doc) can be found in the source mentioned in this research: Solution: So far I think I should approach the problem in the following way: I need to first find that MonitoringHost.exe process that is running on client computers on behalf of SCOM 2007 R2,as RUN AS ACCOUNT, that collects all this monitoring data for SCOM, uses a separate/unique "run as" account other than administrator's and it should be present in all client computers. This account's password should only be known to one guy so that other IT Admins. can't use this account to enter into client computers to access hidden shares. This unique run as account should be studied and experimented well before deployment like may be some change are required in AD, SCOM, or SQL (the database SCOM uses) etc. HIDDEN SHARES SOLUTION USING AD and GPO: ________________________________________ This can easily be done adding or changing a key (if it does not exists) in this location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters The key that needs to be added will be named: AutoShareWks and its value should be set as "0" (Decimal) This can be achieved using GPO or ADM files in atleast two ways: 1. This key can be applied to either all client computers in the domain by creating a custom unique GPO.ADM file and linking it with all Client Computers OU. 2. Create a unique custom group policy and apply it to all administrator accounts. SCOM 2007 R2 SOLUTION APPROACH REFERENCES: __________________________________________ However, now a new problem arises that is: SCOM 2007 R2 will not be able to access the client computers to collect the monitoring data. I need to figure out all the management packs, if any, their RUN AS PROFILES & ACCOUNTS. SCOM 2007 R2 uses several accounts to collect such data. Details of these accounts (opsmgr2007_security.doc) can be found in the following sources: http://www.google.com/url?sa=t&source=web&cd=2&ved=0CBkQFjAB&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F7%2F4%2Fd%2F74deff5e-449f-4a6b-91dd-ffbc117869a2%2Fopsmgr2007_security.doc&rct=j&q=Operations%20Manager%202007%20Security%20Guide&ei=fpQ6TZOXBNT24QaE6O2vCg&usg=AFQjCNHEqrmozojCIyoi1YVKD_C_NxlkUw&sig2=mxlXQCbjXmDV2D8TaTFHdg&cad=rja Run As Profiles AND Accounts: _____________________________ SOURCE: (http://technet.microsoft.com/en-us/library/cc974491.aspx http://technet.microsoft.com/en-us/library/bb735424.aspx http://technet.microsoft.com/en-us/library/bb735423.aspx very imp.--> http://technet.microsoft.com/en-us/library/bb735419.aspx) What Is an Action Account? __________________________ The various Operations Manager 2007 server roles, root management server, management server, gateway server, and agent, all contain a process called MonitoringHost.exe. MonitoringHost.exe is what each server role uses to accomplish monitoring activities, such as executing a monitor or running a task. For example, when an agent subscribes to the event log to read events, it is the MonitoringHost.exe process that runs those activities. The account that a MonitoringHost.exe process runs as is called the action account. The action account for the MonitoringHost.exe process running on an agent is called the agent action account. The action account used by the MonitoringHost.exe process on a management server is called the management server action account. The action account used by the MonitoringHost.exe process on a gateway server is called the gateway server action account. On computers running Windows Server 2003, Windows Server 2003 R2, and the Windows Vista operating system, the default action account must have the following minimum privileges: * Member of the local Users group * Member of the local Performance Monitor Users group * Allow log-on-locally permission (SetInteractiveLogonRight) The minimum privileges described above are the lowest privileges that Operations Manager 2007 supports for the action account. Other Run As Accounts can have lower privileges. The actual privileges required for the Run As Accounts depend upon which management packs are running on the computer and how they are configured. For more information about which specific privileges are required, see the appropriate management pack guide. Keep the following points in mind when choosing credentials for the action account: * A low-privileged account can be used only on computers running Windows Server 2003, Windows Server 2003 R2, and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System. * A low-privileged account is all that is necessary for agents that are used to monitor domain controllers. * Using a domain account requires password updating consistent with your password expiration policies. * You must stop and then start System Center Management service if the action account has been configured to use a low-privilege account and the low-privilege account was added to the required groups while the System Center Management service was running. Managing Action Account Credentials: ____________________________________ For the account you choose, Operations Manager will determine what the password expiration date is and generate an alert 14 days before the account expires. When you change the password in Active Directory, you can change the password for the action account in Operations Manager on the Account tab on the Run As Account Properties page. For more information about managing the action account credentials, see How to Change the Credentials for the Action Account in Operations Manager (http://go.microsoft.com/fwlink/?LinkId=88304). You can use a Windows PowerShell script, set-ActionAccount.ps1, to set the action account on multiple computers. For more information see the SC Ops Mgr 2007 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=92596). The script allows you to set the action account on all of the computers defined in a computer group. See How to Set the Action Account on Multiple Computers in Operations Manager 2007 in the Security Guide. Notification Action Account: ____________________________ The Notification Action Account is a Run As Account that is created by the user to configure notifications. This is the action account that is used for creating and sending notifications. Ensure that the credentials you use for this account have sufficient rights for the SMTP server, instant messaging server, or SIP server that you will use for notifications. If you change the password for the credentials you entered for the Notification Action Account, you will need to make the same password changes for the Run As Account. Problem if our company is running one or more Management Packs: _______________________________________________________________ A management pack can include one or more Run As profiles. Run As profiles and Run As accounts are used to select users with the privileges needed for running rules, tasks, and monitors. Management pack authors can create a Run As profile and associate the profile with one or more rules, monitors, tasks, or discoveries. The named Run As profile is imported along with the management pack into Operations Manager 2007. The Operations Manager 2007 administrator then creates a named Run As account and specifies users and groups. The administrator adds the Run As account to the Run As profile and specifies the target computers that the account should run on. The Run As account provides the credentials for running the rules, monitors, tasks, and discoveries that are associated with the Run As profile to which the Run As account belongs. Please help me figure out the solution. Thanks,

Your issue is not entirely clear from this description. When you say "SCOM will not be able to access computers and monitoring data", are you talking about the OpsMgr agent installed locally on the computer, or are you talking about agentless excetion monitoring?Pete Zerger, MVP-OpsMgr and SCE | http://www.systemcentercentral.com

We also just had a thread last week about somebody wanting to disable the c$ shares on clients (referring to monitored machines/servers). Thus far there was nobody who could think of a directly stopping issue with that. Except for pushing agents from the console perhaps. If you are running scom agent on every monitored machine you will find that most monitoring can be done by the default LocalSystem and only a number of things might need runas accounts (like domain controllers and sometimes sql and a few more). You can assign a separate service account for that purpose. But I think you are referring to clients (as in -> desktops), because you mention people not wanting the domain admins being able to see files on their local machines??Bob Cornelissen - BICTT (My BICTT Blog)