Description of Security Rights for Microsoft Operations Manager 2000 (304685)


The information in this article applies to:

  • Microsoft Operations Manager 2000
This article was previously published under Q304685

SUMMARY

This article describes the security rights that are necessary for Microsoft Operations Manager (MOM) 2000.

MORE INFORMATION

To Install Agents

To install agents by using an automatic or "Push" installation requires certain rights and permissions on the local agent:
  • The MOM service account, which Setup defines, is used to install the agent. To install agents, the Agent Manager account must have access to the Microsoft Windows NT Security Event Log, access to administrative shares, and read and write access to the registry for each agent.
  • After the agent is installed, the agent runs under the security context of the local system. This is an important point because scripts are run from the agent under that security context. It is possible to run scripts at the Database-Consolidator-Agent Manager (DCAM) level, and therefore run scripts under the MOM Service Account context.
  • The agent communicates back to the DCAM by means of Microsoft Windows Sockets API, and there are no security context concerns. Communications are encrypted by default and use the Diffie-Hellmen Encryption method to secure communications between the agent and the DCAM.

MOM Server

The MOM Server requires that certain User Rights are granted to the Service account for installation. Those rights are:
  • Log on as a Service.
  • Log on as a Batch Process.
  • Act as Part of the Operating System.
  • Create a Token Object.
In addition, the MOM Service account must be part of the local administrators group on the server.

Throughout installation, the following local groups are created on the MOM Server.
  • OnePointOp ConfgAdms
  • OnePointOp Operators
  • OnePointOp Reporting
  • OnePointOp System
  • OnePointOp Users
These groups are local groups to the MOM Server. If you want to grant permissions to users to view or work with the MOM Server then you need to add the users from the domain that the users belongs to. By using the different groups, you define the level of security permission that the users have:
  • OnePointOp ConfgAdms are able to configure the MOM Server and apply changes to the Global Settings.
  • OnePointOp Operators are able to monitor events and alerts and to resolve them.
  • OnePointOp Reporting enables users access to the reporting tool.
  • OnePointOp System is the system level group membership.
  • OnePointOp Users enables users basic connection to the MOM Server and should be granted to all users that access the MOM Server.

Web Console

Web Console access requires OnepointOp Users group membership to view and resolve alerts.

NOTE: There is no instance level security within the console, such as Microsoft Systems Management Server 2.0, but you can restrict users to viewing and resolving events and alerts, as well as prevent the users from changing the MOM configuration.
Modification Type:MajorLast Reviewed:6/19/2002
Keywords:kbenv kbinfo KB304685
©2002 Microsoft Corporation. All rights reserved.