Discussion:
Low Privileged MS Account
(too old to reply)
Gordon
2005-01-13 01:49:03 UTC
Permalink
For those who are interested, I found some great info on this query that
answered my question on Jimbos Weblog:
http://weblogs.asp.net/james_morey/archive/2005/01/09/349619.aspx

Which Level of Privilege To Use

When two or more MPs require different levels of privilege, you must use the
higher/highest level for the Action Account. The reason is that there is only
one Action Account context per computer and you cannot have more than one.
The lower-level MPs will work just fine under the higher-level privileges. In
fact, no MP that ships with MOM 2005 actual “requires” lower-level privilege
to run, but some of the can run at lower-levels. If you run the Action
Account at the lower level, the rules that require higher-level privileges
will fail.



For information about the least-privilege required by the Action Account,
see the MOM 2005 Security Guide –
(http://www.microsoft.com/technet/prodtechnol/mom/mom2005/secguide7.mspx#EEAA)
and for more information about what level of permissions the MP might
require, see the appropriate Management Pack Guide –
(http://www.microsoft.com/mom/techinfo/productdoc/default.mspx#EAAA).
Hi Folks,
I am trying to set up the Management Server Action Account as a low
privelleged account by making it a domain user and giving it the following
• Member of the local Users group
• Member of the local “Performance Monitor Users” group
• “Manage auditing and security log” permission (SeSecurityPrivilege)
• “Allow log on locally” permission (SeInteractiveLogonRight)
I have 200 servers, and obviously do not want to visit each machine so I am
trying to set up a group policy to populate these rights on each server, now
I have a couple of issues with this, firstly, I can easily set up the User
rights assignment but how can I populate the local groups, I believe with
group policy the only way to populate a local group is using "restricted
groups" but if I understand correctly this only effects the local
administrators group, so how do i get the action account in the “Performance
Monitor Users” for example,
Also, how do the local group permissionsapplhy against a domain controller
which
has no local groups?
ny ideas greatly appreciated.
Gordon
Dale Koetke [Microsoft]
2005-03-01 05:37:11 UTC
Permalink
Thanks for pointing that out!
Post by Gordon
For those who are interested, I found some great info on this query that
http://weblogs.asp.net/james_morey/archive/2005/01/09/349619.aspx
Which Level of Privilege To Use
When two or more MPs require different levels of privilege, you must use the
higher/highest level for the Action Account. The reason is that there is only
one Action Account context per computer and you cannot have more than one.
The lower-level MPs will work just fine under the higher-level privileges. In
fact, no MP that ships with MOM 2005 actual "requires" lower-level
privilege
to run, but some of the can run at lower-levels. If you run the Action
Account at the lower level, the rules that require higher-level privileges
will fail.
For information about the least-privilege required by the Action Account,
see the MOM 2005 Security Guide -
(http://www.microsoft.com/technet/prodtechnol/mom/mom2005/secguide7.mspx#EEAA)
and for more information about what level of permissions the MP might
require, see the appropriate Management Pack Guide -
(http://www.microsoft.com/mom/techinfo/productdoc/default.mspx#EAAA).
Hi Folks,
I am trying to set up the Management Server Action Account as a low
privelleged account by making it a domain user and giving it the following
. Member of the local Users group
. Member of the local "Performance Monitor Users" group
. "Manage auditing and security log" permission (SeSecurityPrivilege)
. "Allow log on locally" permission (SeInteractiveLogonRight)
I have 200 servers, and obviously do not want to visit each machine so I am
trying to set up a group policy to populate these rights on each server, now
I have a couple of issues with this, firstly, I can easily set up the User
rights assignment but how can I populate the local groups, I believe with
group policy the only way to populate a local group is using "restricted
groups" but if I understand correctly this only effects the local
administrators group, so how do i get the action account in the
"Performance
Monitor Users" for example,
Also, how do the local group permissionsapplhy against a domain controller
which
has no local groups?
ny ideas greatly appreciated.
Gordon
Loading...