|
Posted by Roger Abell [MVP] on May 24, 2008, 4:19 am
Please log in for more thread options > Question:
>
> How exposed will I be if I assign full control on the "Self" security
> group
> to a user (service) account?
>
>
> Background:
>
> I get the following entry in my Operations Manager event lof:
>
> "The System Center Operations Manager SDK service failed to register an
> SPN. A domain admin needs to add MSOMSdkSvc/test1 and
> MSOMSdkSvc/test1.xyz.com to the servicePrincipalName of TEST\OM_SDKCFG."
>
> I came across the following article to resolve this:
>
>
http://blogs.technet.com/kevinholman/archive/2007/12/13/system-center-operations-manager-sdk-service-failed-to-register-an-spn.aspx
>
> The easy resolution according to this article is to assign full control to
> the "Self" security group on the sdk account object in AD. For more
> granular
> control I can also just assign the permission to update the SPN only using
> ADSIedit.msc.
>
> I have chosen the easy way in my test environment, but when it comes to
> production, if I go the easy route, how exposed will I be?
>
> KeithK
>
>
Grant what is needed, not what is needed and everything else.
For example, if to SELF you grant full control of some account object
then that account could set its passord to non-expiring or make any other
change that does not require a grant to exist on other objects.
You want to let the account update its SPN so grant it that ability.
Roger
| 
XML Sitemap