Running SCOM Agent On Domain Controller as Local System

After deploying the OpsMgr agent to a DC you may receive some errors concerning scripts not being able to run. An example of an error you may receive is below:

Forced to terminate the following process started at 1:01:51 PM because it ran past the configured timeout 120 seconds.

Command executed: “C:\Windows\system32\cscript.exe” //nologo “C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 5\3201\AD_Replication_Partner_Op_Master_Consistency.vbs” DC01.domain.pvt false
Working Directory: C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 5\3201\

This is do to the fact that the SCOM HealthService be default only allows for “NT AUTHORITY\Authenticated Users” Users to access the service. However the service is running as LocalSystem by default. LocalSystem doesn’t fall under the Authenticated Users scope. This is where the hslockdown tool comes in.


Sponsors, article continues below...

If you issue a “C:\Program Files\System Center Operations Manager 2007\hslockdown.exe” “SITENAME” you can see that Authenticated Users may be the only resource allowed to access the service.

You will need to add LocalSystem to the allowed list for the HealthService and restart the HealthService for the changes to take effect. Issue the following commands in the command prompt to complete the desired task:

"C:\Program Files\System Center Operations Manager 2007\hslockdown.exe" "SITENAME" /A "NT AUTHORITY\SYSTEM"
sc stop HealthService
sc start HealthService

This entry was posted in Microsoft, SCOM.

Leave a Reply