SystemCenter

All about System Center Articles and Tutorials

Change Service Accounts Passwords – Operations Manager

Posted by on Dec 19, 2016 in SCOM, SCOM 2012, SCOM 2016

Change Service Accounts Passwords – Operations Manager

Last week we received an email from our IT Security team containing a list of the SCOM Service Accounts for which they asked us to change the passwords due to security reasons.

Generally it’s NOT recommended to change the Operations Manager Service Accounts passwords however when it’s necessary in secure environments where the corporate policy mandates regular password changes we don’t have any option other than resetting the password.

Changing Service Account password is a critical Change and must be carefully planned and approved by Change Advisory Board.

Before you start, make sure you have a healthy SCOM environment and even if you have any issues with it, you fix it before changing the passwords.

So let’s start..

List SCOM Inventory

  1. List Management and Gateway Servers.
  2. Which Server hosting SCOM Web Console.
  3. Which SQL Server hosting OpsMgr DB and DW.
  4. Which Server hosting Reporting Services.
  5. List all Run As and Service Accounts.
  6. Check if any 3rd party tools need password reset as well.

Once you collect all above mentioned relevant information, it’s time to prepare the execution plan.

Execution Plan

  1. Clear Operations Manager Event Logs on all Management Servers.
  2. Change Service Account passwords in AD.
  3. Change SDK and Configuration Service Account passwords on all Management Servers.
  4. Change all affected Run As accounts in SCOM console.
  5. Restart all SCOM services on Management Servers.
  6. Change SSRS Service Account password under Reporting Services Configuration Manager.
  7. Change SSRS Service Account password under Services console.
  8. Change password in IIS application Pool (If Required).
  9. Change password in 3rd party tool integration (If Required).
  10. Testing.

1: Clear Operations Manager Event Logs on all Management Servers

Logion on to each Management Server and clear the Operations Manager Logs.

Would suggest saving the logs before choosing the Clear Log option.

1

2: Change Service Account passwords in AD

Reset all the Service Account passwords. If you don’t have access, involve Active Directory team to reset the passwords for you.

2

3: Change SDK and Configuration Service Account passwords on all Management Servers

1: Login on to SCOM Management Server and open Services console.

2: Right click System Center Data Access Service and click Properties.

3: Click Log On tab and change the password.

4: Apply the changes and restart the service.

Modify the password same way for System Center Management Configuration.

3

Note: Follow same steps on all the Management Servers to modify the passwords for System Center Data Access Service and System Center Management Configuration service.

4: Change all affected Run As accounts in SCOM console

1: Login on to SCOM Management Server and open Operations Console.

2: Go to Administration tab and click on Accounts under Run As Configuration option.

3: Right click the Action Account, click properties and click Credentials tab.

4: Modify the password, click Apply and OK button to apply the changes.

4

Note: Follow same steps to modify the passwords for other Action Accounts and Windows accounts.

5: Restart all SCOM services on Management Servers

  • Microsoft Monitoring Agent.
  • System Center Data Access Service.
  • System Center Management Configuration.

6: Change SSRS Service Account password under Reporting Services Configuration Manager

1: Login on to SQL Server hosting Reporting services.

2: Open Reporting Services Configuration Manager and connect to the SQL Server instance hosting reporting.

3: Modify the password under Service Account tab and click Apply.

5

4: Make sure to check the Results, it should be all green.

6

5: Click on Database tab and click Change Credentials option.

7

6: Click on Test Connections button, the Connection should succeed.

7: Click OK and Next button to continue.

8

8: Provide new password for the account and click Next.

9

9: Review the Summary and click Next to continue.

10

10: It must complete with Success result. Click Finish to close the Wizard.

11

11: Provide new password under Execution Account and click Apply button.

The Results must be all green.

12

7: Change SSRS Service Account password under Services console

Now since we have updated the new password under Reporting Service Configuration Manager, its time to update the same password under SQL Server Reporting Services.

1: Open Services console on SQL Server hosting Reporting services

2: Right click SQL Server Reporting Services and click Properties.

3: Click Log On tab and change the password.

4: Apply the changes and restart the service.

13

Important: Please check the report URL, it should be working fine.

14

8: Change password in IIS application Pool (If Required)

1: Type inetmgr under Run and click OK.

15

IIS Manager Window will open.

2: Expand the server hosting application pool and click Application Pools option.

Check if there’s any Service Account is being used as Identity. Mostly it would be ApplicationPoolIdentity.

If you find any Service Account, change the password and restart the application pool.

16

Below is the process to change the credentials:

1: Right click on the application pool using Service Account and click Advanced Settings.

17

2: Expand Process Model, click Identity and click on the box.

18

3: Change the credentials under Set Credentials window.

4: Click OK, OK, OK and restart the application pool.

19

9: Change password in 3rd party tool integration (If Required)

There might be scenarios wherein you have done integration with third party applications like HP BSM. If this is the case, you need to ask BSM administrator to modify the Service Account password used for connector.

10: Testing

  • Check Operations Manager Event Logs for any Errors/Warnings.
  • Check Operations Manager Console if it’s working.
  • Check Operations Manager Resource Pool. It should be all green.
  • Open Reporting under Operations Manager Console, the reports should be working.
  • Open SCOM Web Console, it should be functional.
  • Check if there’s any Operations Manager alert under Monitoring view in SCOM Console.

If all above tests are passed and SCOM is working as expected, you have really done a great job!!

That’s it.

So, as we see, changing Operations Manager Service Account passwords is not that tuff job however this needs proper attention and must be executed properly.

Hope this helps.

Submit a Comment

Your email address will not be published. Required fields are marked *