Hi, I'm installing a production environment and I have an internet explorer 8 issue, some PCs in any moments starts browsing the web with SCOM Management Server Account, which is blocked by websense, instead of user's account. On client logs I see Health Services is logging to the server with the RunAs account in order to retrieve updated configuration, I thought somehow (maybe because of health service secondary logon) internet explorer tries to use that account instead of user's account to navigate. If I take a look in task manager and iexplorer process shows as running as user's account, but web sense blocking page says the contrary. After restarting the PC user can navigate normally. Is there any way Health Service drive to this problem? why health service needs to log to the server with management server account credentials? is there any way change health service to access to the server with local credentials? Client SCOM Agent is installed and running with local account. Thanks for your help.. Joffre

I'm trying to understand your issue here. Sounds like you're saying that for no good reason, suddenly IE will launch under the Management Server Action Account on any given computer with an agent installed? This is not right. There must be something else at play here. For one, the Management Server Action Account should not even be delivered to agents. This is a "special" account that should only be running on Management Servers. And it usually isn't even configured to run many workflows. And I'm not aware of any workflows whatsoever that requires IE to be launched. I'd open up a case with Premier Support and have someone take a closer look at your environment. This sounds like a potentially serious problem.HTH, Jonathan Almquist - MSFT

websense doesn't detect ie, it just detect http traffic. My guess would be to check the web templates in the authoring tab.Rob Korving http://jama00.wordpress.com/

Hello Joffre YC, are you ok with the responses here (thanks Jonathan)? Just wanted to make sure you are ok since this was flagged as escalated (thanks Yog). Regards, JustinThis posting is provided "AS IS" with no warranties, and confers no rights. Use of attachments are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Thanks everybody for your answers and sorry for my delay. I am very concerned about this issue. As additional information I realized Operations Manager event logs says at any time that "it is validating action accounts" and I can see it is referenced to management server action account which is a domain admin one. As a temporary solution I make a rule for websense to admit that account. I emphasize it is only used for SCOM and there aren't other product or software in the PC client that could reference to it instead of SCOM Agent. Thanks again for your help.

The events I found in any PC client are the next: Tipo de suceso: Ninguno Origen del suceso: HealthService Categoría del suceso: Health Service Id. suceso: 7026 Fecha: 22/09/2010 Hora: 8:54:46 Usuario: No disponible Equipo: XXXXX Descripción: The Health Service successfully logged on the RunAs account Domain\account for management group XXXXX Tipo de suceso: Ninguno Origen del suceso: HealthService Categoría del suceso: Health Service Id. suceso: 7023 Fecha: 22/09/2010 Hora: 8:54:46 Usuario: No disponible Equipo: XXXXX Descripción: The Health Service has downloaded secure configuration for management group XXXXX successfully. Tipo de suceso: Ninguno Origen del suceso: HealthService Categoría del suceso: Health Service Id. suceso: 7025 Fecha: 22/09/2010 Hora: 8:54:46 Usuario: No disponible Equipo: XXXXX Descripción: The Health Service has authorized all configured RunAs accounts to execute for management group XXXXX. Tipo de suceso: Ninguno Origen del suceso: HealthService Categoría del suceso: Health Service Id. suceso: 7024 Fecha: 22/09/2010 Hora: 8:54:46 Usuario: No disponible Equipo: XXXXX Descripción: The Health Service successfully logged on all accounts for management group XXXXX Tipo de suceso: Ninguno Origen del suceso: HealthService Categoría del suceso: Health Service Id. suceso: 7028 Fecha: 22/09/2010 Hora: 8:54:46 Usuario: No disponible Equipo: XXXXX Descripción: All RunAs accounts for management group XXXXX have the correct logon type. Thanks,

These are all normal events, but it sounds like you're using your MSAA as an action account somewhere. Check all your Run As Profiles, and see which computers have the MSAA associated to it. There is where you should find the answers you're looking for.HTH, Jonathan Almquist - MSFT

That's right, I found one run as profile using that account. Also the account is configured as "Less Secure" which means it will be distributed to all managed computers, it wasn't configured that way with any special purpose. Now when I configured the account as "More Secure" the issue was solved. I am a bit confused about what runAs account distributions is used for.