Server Management - Systems Insight Manager
1748239 Members
3843 Online
108759 Solutions
New Discussion юеВ

Re: Service account credentials for HP SIM 5.1

 
SOLVED
Go to solution
Patrick (UK)
Occasional Advisor

Service account credentials for HP SIM 5.1

We're installing Systems Insight Manager 5.1 on Windows Small Business Server 2003 and have a question about service account credentials.

With the default installation choices, the various Windows services all end up using the standard Administrator account as their service account. While this simplifies installation, it is undesirable from a security viewpoint. Even if the services do indeed require local/domain administrator rights, we would still prefer to set up a separate user account to act as a service account rather than using the standard Administrator account. That way, the operation of the services won't be disrupted every time the Administrator password is changed.

However, we're a little unclear about the steps that would need to be taken when setting up an alternative user account to act as the service account. Although the installation software refers to granting appropriate rights automatically, is there anything that needs to be done manually, such as making the account a member of certain user groups or assigning user rights to it?

Any advice appreciated.

Patrick
12 REPLIES 12
Patrick (UK)
Occasional Advisor

Re: Service account credentials for HP SIM 5.1

Can anybody help with this question?

Patrick
Cindy Osborn
Valued Contributor

Re: Service account credentials for HP SIM 5.1

Patrick,

I have 3 SIM servers all running under a domain service account without an expiring password. The easies way is to create the domain account and then add the account to the administrators group on the server. Then install SIM using the service account on a console session. Then open SIM using this account the first time and do the configuration. Also you will run the remote support configuration using this account. Anytime I update a sim component or have to do configuration of the SIM application I use this account. This account doesn't have to be on any of the monitored targets.

Hope this helps.
Cindy
Patrick (UK)
Occasional Advisor

Re: Service account credentials for HP SIM 5.1

Cindy,

Thanks for the reply. This is very helpful. Since I'm new to SIM, I'd just like to check that I've understood this correctly. The procedure appears to be:

(1) In Active Directory Users and Computers, create a domain user account for use by HP SIM and add it to the server's local Administrators group (rather than Domain Admins).

(2) Open a Command Prompt and run the HP SIM setup program using the 'runas' command, specifying the new user account. The HP SIM services will then be configured by default to use the new user account (rather than the currently logged on user) as their service account.

(3) When the HP SIM application is started, it will prompt for a Windows user account. Enter the new user account here (rather than Administrator, for example), especially if performing any configuration tasks.

Is this correct? If not, I'd appreciate it if you could expand slightly on the steps you listed.

Patrick
Rob Buxton
Honored Contributor

Re: Service account credentials for HP SIM 5.1

Not too sure about Step 2, rather you'd login to the Server HPSIM is to be installed on using the account you've created.

It's probably easier to use a Domain Admin account, especially if you're using a database on a different server.

If the password for the account HPSIM uses needs to be changed at a later date then there's a command that needs to be run that updates the DB connection string.

For step 3, yes you login to HPSIM using the account it was installed under. You can add additional users that are allowed to access HPSIM.
Patrick (UK)
Occasional Advisor

Re: Service account credentials for HP SIM 5.1

Rob,

Thanks very much for your helpful advice.

The entire HP SIM installation, including the database, will be on a single server. That being the case, is there any particular advantage to making the HP SIM service account a member of Domain Admins rather than Administrators?

Regarding point (2) above, there may be question of whether or not the HP SIM service account should be given the 'Log on locally' user right on the server. If I understand Cindy's suggestion correctly, one approach is to log on to Windows using the standard Administrator account (for example) and then use 'runas' at a Command Prompt to run the HP SIM setup program with the service account's credentials. An alternative approach, which I think you're suggesting, is to log on to Windows using the service account and run the setup program directly.

Patrick
Rob Buxton
Honored Contributor
Solution

Re: Service account credentials for HP SIM 5.1

Domin Admin accounts typically make things easier, but if there's some internal restrictions to that then a local account maybe the way to go.
I've not done it that way and would certainly go through the Installation Guide to see what mention there is of requirements for the install account.

I've not tried the run as command, again it just seems to complicate things less if you run it directly from the account you've set up for it. And, make sure you're on the console when you do the install.
Patrick (UK)
Occasional Advisor

Re: Service account credentials for HP SIM 5.1

Hello again, Rob. Thanks for the clarification.

Patrick
Cindy Osborn
Valued Contributor

Re: Service account credentials for HP SIM 5.1

No it doesn't need to be a domain admin account. It only needs to be a service account that can log onto the box. Yes you need to log onto the box with remote desktop into the console session or you need to be at the console when you install sim with this account and also at any time in the future when you make updates to the SIM software.
Patrick (UK)
Occasional Advisor

Re: Service account credentials for HP SIM 5.1

Hello, Cindy. Thanks for the additional information.

Patrick