On some Remote sites we have deployed physical RODC’s. Our Security and AD team would like to monitor these as we monitor Central domain Controllers, but without distributing the run as account. Is there a way to accomplish this?
Apologies on the time taken to get back to you on this one (Community doesn’t send you an email when there’s a comment *sad face*) . I’ve had a little read of the MP Guide under the security section:
AD MP Account
The AD MP Account Run As Profile is automatically created when you import the ADMP. This account is not needed if you are using the Action Account for ADMP operations. However, if you would prefer to use a different domain account to monitor Active Directory operations, you can utilize the ADMP Run As Profile by first creating a Run As Account and then adding that account to the AD MP Account Run As Profile.
MP download page, download the OM_MP_ADDS.doc file: https://www.microsoft.com/en-gb/download/details.aspx?id=21357
Essentially the agent usually runs under Local System which has pretty much all the rights it needs in most monitoring scenarios, with a few MP’s creating a run as profile that can be used if there are security concerns (there are exceptions to this rule where MP’s will require an account to be associated with the profile(s) created). This means that you shouldn’t need to distribute an account to your domain controllers in order to monitor them.
If your concern is the account that is used to deploy the agent, then a domain admin should be able to push the agent to these servers, or a service account that is temporarily added to local admins on the destination server (i.e. DOMAIN\svc-AgentPush).
When deploying the agent one of the steps allows you to enter an account (make sure you do this on the right page as one is for the account the agent runs under which should be left as Local System):
When this account isn’t specified SCOM will use the Management Server Action account, which in reality you don’t want to distribute to any server just to deploy an agent. Best practice is to have an agent deployment account that can be temporarily added into the Local Administrators group on each machine when deploying agents OR use an account that already has this level of access i.e. a domain admins credentials. If you add an account to Local Admins, you can remove it after as it is only used to push the agent and doesn’t require permissions on the server after the agent is installed.
Hope this helps!