How to Give the Agent Service Account the Local Administrator Role on an Exchange 2000 Agent Computer (321997)


The information in this article applies to:

  • Microsoft Operations Manager 2000
This article was previously published under Q321997

SUMMARY

The agent service account is the account under which the OnePoint service runs on a managed Microsoft Exchange 2000 Server computer. To use some of the advanced script functionality of the Exchange 2000 Management Pack, you must make the agent service account a domain account instead of the local computer account. Typically, administrators give the agent service account the Domain Administrator role so that Microsoft Operations Manager (MOM) 2000 has the appropriate permissions to operate. For additional information about the scripts require the agent service account to be a domain account, click the article number below to view the article in the Microsoft Knowledge Base:

322065 Dependencies for Exchange 2000 Management Pack's Functionalities and Scripts

This article describes how to give the agent service account (of the managed Exchange 2000 computer) the Local Administrator role. You can use this configuration as an alternative configuration; however, this configuration requires a bit more administrative overhead. If you give the agent service account the Local Administrator role, Microsoft recommends that you use a separate Data Access Server/Consolidator-Agent Manager (DCAM) server for the Exchange 2000 computer than the DCAM server that you use for other managed servers (such as the Active Directory servers).

MORE INFORMATION

Typically, Microsoft recommends that you use a separate DCAM server to monitor and administer Exchange 2000 servers than the DCAM server that you use to manage non-Exchange 2000 servers. If you use a separate DCAM server for Exchange 2000 monitoring, you can specify the account on which you want to run the agent OnePoint service on these Exchange 2000 computers. The other DCAM settings may reflect the default local computer account for the agent OnePoint service, which may be acceptable for non-Exchange 2000 servers.

NOTE: If you use restricted groups and specify membership at the organizational unit level, group policy settings may affect other programs if these policy settings either modify individual Local Administrators groups or add their accounts. Local membership to the Administrators group is overwritten by the group policy setting enforced membership that is described in this section. For additional information about restricted groups, click the article number below to view the article in the Microsoft Knowledge Base:

228496 HOW TO: Use Restricted Groups in Windows 2000

To specify the account on which you want to run the agent OnePoint service on the Exchange 2000 server:
  1. On a member server in the domain, run dsa.msc from a command prompt.
  2. Create an organizational unit to contain all member servers to which you must apply this policy.

    To create an organizational unit, right-click the node that you want to contain organizational unit, point to New, and then click Organizational Unit.
  3. Expand the container that holds your server objects, (for example, Computers), right-click all of the servers that you want MOM to monitor, click Move, and then select the organizational unit that you created in step 2.
  4. Create a policy setting on new organizational unit:
    1. Right-click the organizational unit, and then click Properties.
    2. Click the Group Policies tab, click New, and then give this new policy an appropriate name.
    3. Click Edit.
    4. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings.
    5. Right-click Restricted Groups, click Add Group, and then click Browse.
    6. In the Look in box, click Local Server, click Administrators, and then click OK.
    7. In the right pane, right-click Administrators, and then click Security.
    8. Click Add to Members of this group.
    9. Locate the following groups, add them, and then click OK:
      • Local Server\Administrator
      • Domain\Domain Admins
      • Domain\Agent Service Account

    10. Close the Group Policy window.
  5. Force replication in a multiple domain controller environment.
  6. Check the membership of the Local Administrator group on a member server.

    The agent service account may not be a member yet because the new policy has not been applied.
  7. Run the following command at a command prompt on each member server to force immediate policy setting assignment:

    secedit /refreshpolicy machine_policy /enforce

    NOTE: If you do not perform this step, you must wait until the policy is assigned to each member server from the domain controllers.
  8. Check the Local Administrators group to confirm that the agent service account is a member.
NOTE: If you have a scenario in which the Exchange 2000 server also functions as a domain controller, this scenario is not supported for this procedure. The Exchange Server Management Pack does not perform MAPI-related monitoring on an Exchange 2000 server that is a domain controller.

After you complete this procedure and the agent service account is granted the Local Administrator role on all servers in the organizational unit, you can safely remove the Domain Administrator membership for the agent OnePoint service account.
Modification Type:MajorLast Reviewed:8/6/2002
Keywords:kbinfo KB321997
©2002 Microsoft Corporation. All rights reserved.