Hi
Is it possible to change the Agent Action Account to another "low risk" Domain-Account on a Domain Controller?
For testing purposes, I've created a simple SCOM Agent Task which do the following steps:
- Starts PowerShell
- Imports Active Directory PowerShell Module
- Creates new AD-User
- Adds the AD-User to "Domain Admins"
After Creating, I run this Task against a Domain Controller of another Domain where I have no permissions at all. (SCOM Agent installed + Certificate based Communication)
And voila, I'm a Domain Admin!
---------------------------------------------------
Problems:
- As an SCOM Administrator, I can choose which Run-As Account will be used as "Default Action Account" on each Agent.
When I change the Service Credentials, I cannot start the "Service on the Agent. I get this Event:
"The Health Service can only supports running as the local system user account. The service was not configured to run under a different user account so it can not start. Please reset the service configuration back to the default Setting."
Any advice?