How to create a monitor with a different run as account?

This forum post inspired me to write this blog post. Sometimes, especially when you create script based rules or monitors, you need to ensure the script runs under a specific account. In SCOM there’s something called “Run As” Accounts and “Run As” Profiles. Some management packs require you to setup run as accounts and assign them to run as profiles in order to successfully monitor the application. If you do not set run as accounts, all the workflows (monitors, rules, etc.) run with the default action account.

So you might wonder, if they can do that, can I do that too? Short answer is yes. Longer answer is: yes, but you can’t do it with the Operations Console. You either hack XML or you use the Authoring Console.

You can create so called “Secure References” to run a rule or monitor with a different user.

I’ve created a simple monitor in the Operations Console which will run with the default action account. If you explore the properties of any monitor in the Operations Consolethere’s no way to change the action account. There’s also no way to override the action account. As mentioned before, the Operations Console is quite limited.

We need the Authoring Console!

You can download and install the authoring console here:
Before we continue, we will need to export the management pack where our monitor was created. Use the Administration space, select Management Packs, locate the management pack and click on Export Management Pack:

Start the authoring console and open the just exported management pack (where your monitor is located). In case you have troubles locating the System.Center.Library management pack, look at this blog post from Chris Harris on how to deal with that:

Create a new Secure Reference

After you’ve opened the management pack, go to the Health Model space and click on Secure References. In Secure References you can define “Run As” profiles that can be used to assign credentials to your monitors and rules. Right-click and select New Secure Reference from the context menu. Provide a new identifier for your secure reference (note the ID must be unique, it’s recommended to use the the management pack name as a prefix):

Provide a meaningful name for your secure reference. The name you choose here will appear in the Operations Console in the Administration space under Run As ConfigurationProfiles. It’s also recommended to provide a description to ensure that everyone knows what this profile is used for (for example: is needed because the monitor XYZ needs special permissions, etc.).

As Context you could just select “System.Entity” which will allow you to use the secure reference for any target class of your workflows.

The following link provides more information about the secure reference element:

Click OK to close the dialog.

Assign the Secure Reference to our Monitor

Change to Monitors (or if you want to assign your secure reference to a rule, go to Rules) and locate your monitor you want to change the Run as profile. Note that objects (such as monitors and rules) created in the Operations Console have an ID like UIGeneratedMonitor_and_some_GUID. If you have multiple monitors in this view, you may to open them all up until you find the one you are looking for.
In the configuration tab, select your Run as profile (the one we just created) and click on Apply:

Save and Re-Import

Before you save the management pack, I strongly recommend to increase the version number using File –> Management Pack Properties:

I’ve seen all sorts of weird behavior if you import a changed management pack with the same version, so don’t forget to always increase the version number.
Save the management pack using File –> Save and switch back to the Operations Console to import the management pack. After the import finished, ensure that the new version is shown correctly:

Go to the Run As ConfigurationAccounts and create a new Run as account for your monitor:

Assign a User Account to your new Run As Account

Configure the windows account:

Choose the distribution model, depending on your requirements and your security policy and finish the wizard.
Now go to the Run As ConfigurationProfiles node in the Administration space and look for your new Run as Profile:

Click on Properties and assign the created Run as account to your new profile as you do it for other management packs:

One easy way to verify if your new action account is being used, is to check the task manager processes. Look for a MonitoringHost.exe running with your action account. SCOM creates at least one MonitoringHost.exe for each action account.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s