Microsoft KB Archive/304685

= Description of Security Rights for Microsoft Operations Manager 2000 =

Article ID: 304685

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Operations Manager 2000 Service Pack 1

-



This article was previously published under Q304685



SUMMARY
This article describes the security rights that are necessary for Microsoft Operations Manager (MOM) 2000.



To Install Agents
To install agents by using an automatic or &quot;Push&quot; installation requires certain rights and permissions on the local agent:
 * The MOM service account, which Setup defines, is used to install the agent. To install agents, the Agent Manager account must have access to the Microsoft Windows NT Security Event Log, access to administrative shares, and read and write access to the registry for each agent.
 * After the agent is installed, the agent runs under the security context of the local system. This is an important point because scripts are run from the agent under that security context. It is possible to run scripts at the Database-Consolidator-Agent Manager (DCAM) level, and therefore run scripts under the MOM Service Account context.
 * The agent communicates back to the DCAM by means of Microsoft Windows Sockets API, and there are no security context concerns. Communications are encrypted by default and use the Diffie-Hellmen Encryption method to secure communications between the agent and the DCAM.

MOM Server
The MOM Server requires that certain User Rights are granted to the Service account for installation. Those rights are:
 * Log on as a Service.
 * Log on as a Batch Process.
 * Act as Part of the Operating System.
 * Create a Token Object.

In addition, the MOM Service account must be part of the local administrators group on the server.

Throughout installation, the following local groups are created on the MOM Server.
 * OnePointOp ConfgAdms
 * OnePointOp Operators
 * OnePointOp Reporting
 * OnePointOp System
 * OnePointOp Users

These groups are local groups to the MOM Server. If you want to grant permissions to users to view or work with the MOM Server then you need to add the users from the domain that the users belongs to. By using the different groups, you define the level of security permission that the users have:
 * OnePointOp ConfgAdms are able to configure the MOM Server and apply changes to the Global Settings.
 * OnePointOp Operators are able to monitor events and alerts and to resolve them.
 * OnePointOp Reporting enables users access to the reporting tool.
 * OnePointOp System is the system level group membership.
 * OnePointOp Users enables users basic connection to the MOM Server and should be granted to all users that access the MOM Server.

Web Console
Web Console access requires OnepointOp Users group membership to view and resolve alerts.

NOTE: There is no instance level security within the console, such as Microsoft Systems Management Server 2.0, but you can restrict users to viewing and resolving events and alerts, as well as prevent the users from changing the MOM configuration.

Keywords: kbenv kbinfo KB304685

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.