Accounts Required During Setup
Applies To: System Center Service Manager 2010
You will need to provide credentials for the following accounts during the installation of the Service Manager and data warehouse management servers.
Note
The user and group accounts required for the installation of Service Manager must reside in the Users OU in Active Directory.
Accounts Used During the Installation of a Service Manager Management Server
Account | Permissions | How It Is Used In Service Manager |
---|---|---|
Management group administrators |
|
|
Service Manager services account |
|
|
Workflow account |
|
|
Security Best Practices for Accounts
When assigning Active Directory accounts for use with Service Manager Run As Accounts, it is a best practice to use service accounts. We strongly recommend against using Active Directory user accounts associated with individual people.
For more information about security best practices, download a copy of the Windows Server 2008 Security Guide which in now part of the Windows Server 2008 Security Compliance Management Toolkit at https://go.microsoft.com/fwlink/?LinkId=167160 and The Services and Serivce Accounts Security Planning Guide at https://go.microsoft.com/fwlink/?LinkID=58270.
Accounts Used During the Installation of the Data Warehouse Management Server
Account | Permissions | How It Is Used In Service Manager |
---|---|---|
Management group administrators |
|
|
Service Manager account |
|
|
Reporting account |
|
|
Registering the Service Manager Management Group with Data Warehouse Management Group
As part of the installation process, you will register the Service Manager management group with the data warehouse management group. During this process, you will be prompted to provide credentials. The account credentials you provide must be a domain account. Furthermore, you will need to provide an account with the following permissions.
Must be a member of the Administrator user role in both the Service Manager and data warehouse management groups.
Must be a member of the users local administrator group on the data warehouse management server.
Accounts Required for Creating Connectors
When creating connectors, you will be asked for credentials that the connector will use to perform its function. The following table outlines the permissions that this account will need and describes best practices for high security.
Operations Manager 2007 Alert Connector
Permissions | Best Practices |
---|---|
|
Domain account specifically created for this purpose that is only in the Users local security group and in an Administrator user role in Operations Manager and in an Advanced Operator user role in Service Manager. |
Operations Manager 2007 CI Connector
Permissions | Best Practices |
---|---|
|
Domain account specifically created for this purpose that is only in the Users local security group and in an Operator user role in Operations Manager and in an Advanced Operator user role in Service Manager. |
Active Directory Connector
Permissions | Best Practices |
---|---|
|
Domain account specifically created for this purpose that is only in the Users local security group and in an Advanced Operator user role in Service Manager and has read-only permissions in Active Directory. |
Configuration Manager 2007 Connector
Permissions | Best Practices |
---|---|
|
Domain account specifically created for this purpose that is only in the Users local security group, must be a member of the smsdbrole_extract and db_datareader on the System Center Configuration Manager database, and in an Advanced Operator user role in Service Manager. |
Did you find this information helpful? Please send your suggestions and comments about System Center Service Manager documentation to scsmdocs@microsoft.com.