BRONZE PARTNER:
BRONZE PARTNER:
Industry News:
| |
| |
|
|
|
|
|
| MOM FAQ: Problems Pushing out new MOM Agents |
|
|
|
By: Cliff Hobbs
Posted On: 3/27/2003
Problem:
I'm having some trouble pushing new agents out from the MOM server.
Under “Configuration | Global Settings |Agent Managers” I set up the "Agent Service Account" security context to use on the client side. By default we used Local Account. This generates errors that it cannot read the client registry (Access Denied).
We then specified the lab's Domain Admin account "Administrator" and its password. This returns the error "The Agent Manager was unable to grant account "<domain_name>\administrator" the right to log on as a service on computer "<computer_name>", nor could it verify that the right already exists."
So, I'm now trying to sort out how to grant this elevated privilege to the Domain Admin account on the resource server (Windows 2000 Active Directory environment).
Can anyone share how you've set up your systems? My only "managed" agent is the server upon which MOM itself was installed.
Contributed By: David Chapman and David Jaffe
Use the Default Domain Policy to grant the ‘Log on as a service’ and ‘Act as part of the operating system’ advanced user rights. Once at the GPO for the Domain go to “Computer Configuration | Local Policies | Security Options”. You should enable ‘Log on as a service’ and add the Domain account.
You also need to remember to do the same on the Domain Controller's GPO too, as well as the Domain's GPO as the closest to the object wins. Since in Windows 2000 the DCs now have their security policies separate from the Domain policy I make it a best practice to add the policy to the Default Domain Controller's OU if the service will be touching a DC as well as any Member server's local Security Policy
Take a look at Microsoft Knowledge Base Article 259733
259733 How to Troubleshoot Service Startup Permissionsand the recommended troubleshooting steps are to add the acct to the DC's OU policy.
|
|
|
|
|
|
