Автор: SlavikT
Дата сообщения: 26.09.2007 11:30
не нужно его запускать под Domain Admin.
A common approach is to specify a domain account, which allows you to select a user with the least amount of privileges necessary for your environment.
On computers running Windows Server 2003, Windows Server 2003 R2, and the Windows Vista operating system, the default action account must have the following minimum privileges:
• Member of the local Users group
• Member of the local Performance Monitor Users group
• Allow log on locally permission (SetInteractiveLogonRight)
How to Use the Health Service Lockdown Tool in Operations Manager 2007
On computers requiring high security, for example a domain controller, you may need to deny certain identities access to rules, tasks, and monitors that might jeopardize the security of your server. The Health Service lockdown tool (HSLockdown.exe) enables you to use various command-line options to control and limit the identities used to run a rule, task, or monitor.
Note
You will be unable to start the OpsMgr Health Service if you have used the Health Service Lockdown tool to lock out the Action Account. To be able to restart the OpsMgr Health Service, follow the second procedure in this topic to unlock the Action Account.
The following command-line options are available:
• HSLockdown [ManagementGroupName] /L - List Accounts/groups
• HSLockdown [ManagementGroupName] /A - Add an allowed account|group
• HSLockdown [ManagementGroupName] /D - Add a denied account|group
• HSLockdown [ManagementGroupName] /R - Remove an allowed/denied account|group
Accounts must be specified in one of the following fully qualified domain name (FQDN) formats:
• NetBios : DOMAIN\username
• UPN : username@fqdn.com
If you used the add or deny options when running the Health Service Lockdown tool, you will need to restart the OpsMgr Health Service before the changes take effect.
When evaluating allowed and denied listings, know that denies takes priority over allows. If a user is listed as allowed, and the same user is a member of a group that is listed as denied, the user will be denied.
To use the health service lockdown tool
1. Log on to the computer with an account that is a member of the Administrators group.
2. On the Windows desktop, click Start, and then click Run.
3. In the Run dialog box, type cmd and then click OK.
4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located) and then press ENTER.
5. Type cd\Program Files\System Center Operations Manager 2007 and then press ENTER.
6. Type HSLockdown [Management Group Name] /D [account or group] to deny the group or account, and then press ENTER.
To unlock the Action Account
1. Log on to the computer with an account that is a member of the Administrators group.
2. On the Windows desktop, click Start, and then click Run.
3. In the Run dialog box, type cmd and then click OK.
4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located) and then press ENTER.
5. Type cd\Program Files\System Center Operations Manager 2007 and then press ENTER.
6. Type HSLockdown [Management Group Name] /A <Action Account> and then press ENTER.