Install SCOM-Agent on a Domain Controller - Low Privilege

Markus König 50 Reputation points
2024-02-06T12:28:38.0866667+00:00

I´m currently trying to install the SCOM agent on a domain controller. However, the agent should not run as a local system, but with a separate Windows domain account.
I have already set the account to the Allow List with the HSLockdown Tool and deleted all other authorizations.
The ADDS Management Pack documentation describes the steps I need to take to give the account the required rights. But how do I do this on a domain controller?

Docu: On Windows Server, the Action Account must have the following minimum privileges applied via group policy: • Member of the Local Users Group • Member of the Local Performance Monitor Users group • Manage auditing and security log privilege (SeSecurityPrivilege) • Generate security audits privilege (SeAuditPrivilege) • Allow log on locally logon right (SeInteractiveLogonRight)

The following security changes can be made via Group Policy or done manually on each Domain Controller you wish to monitor. • Read Access to registry keys (See the Access Types Required by the Active Directory Management Pack chart) • Read Access to ntds.dit file (See the Access Types Required by the Active Directory Management Pack chart) • Full access to %ProgramFiles%\Microsoft Monitoring Agent\Agent

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,441 questions
Microsoft System Center
Microsoft System Center
A suite of Microsoft systems management products that offer solutions for managing datacenter resources, private clouds, and client devices.
894 questions
0 comments
Accepted answer
  1. Marius Ene 335 Reputation points
    2024-02-06T13:49:44.4833333+00:00

    Hey Markus, The fist part you probably need to do on a domain controller also. Although there is no Local User on a Domain Controller, there is a Domain Users group (account is a member by default) and also Performance Monitor Users group. As for the privileges, you could create new GPO that assigns the necessary privileges. All 3 are located in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Since this GPO should be assigned to you Domain controllers OU, be very careful about what your are changing and ensure you are fully aware of what you are doing. Ask for support from AD team if available. Please test this in your test environment, don't configure it directly in Production. Then grant Read permissions on the Registry Keys mentioned in the guide and on the folders containing the NTDS.dit and logs. Then add it to the Event Log Readers in the domain. Ensure you aware about the note:

    *Note:*To monitor trusts the Action Account must be a member of either the Domain Admins group or the Administrators group in the domain in which trusts are monitored.  If the Action Account is not a member of either of these groups you will continue to receive a failure message until you disable the following rule: Disable rule: Microsoft Windows Active Directory\Active Directory Monitor Trusts\Script-AD Monitor Trusts.

    So you either disable that monitor, or add it to the Administrators group in the domain which I think is not something that you would be keen on, given that you are looking to restrict the permissions. Plus, if its a member of Administrators on the domain security group, I don't see the point of all the previous configurations for a "low priviledged" account. Good luck! Marius ENE - https://mariusene.com/

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Markus König 50 Reputation points
    2024-02-06T17:02:52.2233333+00:00

    Hi Marius, Thank you very much for your quick reply. I have tested this in the test environment and it seems to work.
    However, I haven´t yet assigned local log on rights to the account. Is this really necessary on the domain controller? And I still get an error message. Could this have something to do with the missing log-on right?

    Error when calling up the service status Service: NTDS Error: 0x80070005 Details: Access is denied. At least one workflow is affected. Workflow name: Microsoft.Windows.Server.2016.AD.AvailabilityEssentialService.NTDS.ServiceCheck Instance name: IDC1 Instance ID: {0B2D...} Management group: SCOM_P

    0 comments
  2. Markus König 50 Reputation points
    2024-02-06T17:54:31.17+00:00

    I granted the agent the permissions for the local system account as a test (using the HSLockdown tool). Suddenly some other error messages also disappeared.

    So it's more like detective work to find out which management packs require which authorization and how best to grant them.

    Well, that will probably take some time..

    Thanks again for your help!! :)

    0 comments