Environment
Security Manager 5.X
Security Manager 6.0
Situation
How do I change the service account used by the Security Manager log archive service?
How do I change the service account on the Reporting server?
How do I update the service account password used by Security Manager?
How do I update the Data Access Server (DAS) credentials used by Security Manager?
How do I update the DCOM credentials used by Security Manager?
How do I add a new database login for the Security Manager service account?
How do I use the DCOM Config (DCOMCNFG.EXE) utility to update DCOM credentials for Security Manager?
Resolution
If you want to change the service account or password used by Security Manager, you can use the Active Directory Users and Computers administrative tool in the Administrative Tools folder of the Control Panel. However, ensure you also modify the credentials used by the Security Manager service, applications, and databases.
The following task describes an overview of how to change the service account or password.
To change the service account or password:
1. Create a new service account or modify the existing service account password with the Active Directory Users and Computers administrative tool in the Administrative Tools folder of the Control Panel. Ensure that the service account and password meet the following requirements:
o
Is a domain account.o
Cannot have a blank password. If your enterprise has a password expiration policy, consider exempting the service account from your password expiration policy.o
Is a member of the Administrators local group on the central computer and all agent computers that the central computer will manage in the domain. If you want the service account to have rights to install agents in other trusted domains, the service account must be a member of the Administrators local group on all agent computers that the central computer will manage in the trusted domain.o
Is a member of the Microsoft SQL Server sysadmin role on the database server and on each log database computer (for SM 5.1 and 5.0).2. Complete the following steps on each central computer:
1. If you created a new service account, add the service account to the OnePointOp System local group. You can add the service account with the Active Directory Users and Computers administrative tool in the Administrative Tools folder of the Control Panel.
2. Stop the service and update the service credentials. For more information, see "Updating Service Credentials."
3. (6.5) Validate that the service account has permissions to the locally stored certificate on the Central Computer. For more information see "Validate Certificate Permissions on the Central Computer."
4. Update the Data Access Server credentials. For more information, see "Updating Data Access Server Credentials."
5. Update the DCOM application credentials. For more information, see "Updating DCOM Credentials."
6. Restart the service with the Services administrative tool in the Administrative Tools folder of the Control Panel.
If you created a new service account, create a new login on the database server and each log database computer. For more information, see "Creating a Database Login."
Updating Service Credentials
Follow the steps in this section to update the credentials used by the Security Manager service on the central computer.
To update the service credentials:
1. Start the Services administrative tool in the Administrative Tools folder of the Control Panel.
2. In the left pane, click the service name as follows:
o
For Security Manager version 5.0, click OnePoint.o
For Security Manager version 5.1, 5.5, 5.6 and 6.0 click NetIQ Security Manager.o
For Security Manager version 6.0 LAS server, click NetIQ Security Manager Log Archive.3. On the Action menu, click Stop.
4. On the Action menu, click Properties.
5. On the Log On tab, change the service account credentials. If modifying the service account name, ensure you use the Domain\Account format.
6. Click OK.
Validate Certificate Permissions on the Central Computer
By default, on a server OS, the local administrators group has permission to access the NetIQ Security Manager key container in the local certificate store. It is possible to change the local security policy such that the installing user is the owner of NetIQ Security Manager key container, and no access rights are given to the local administrators group. This will cause problems for SM if the installing user and SM service user are different.
To validate the security policy, follow these steps:
1) Open Local Security Policy on the Central Computer (under Administrative Tools)
2) Navigate to Local Policies
3) Navigate to Security Options
4) Locate the System objects: Default owner for objects created by members of the Administrators group policy
5) Validate that the default is set to ?Administrators group?.
If ?Object creator? optional setting is selected and the installing user and SM service user are different, SM will have a problem accessing the NetIQ Security Manager key container and will fail to start with event 21337 in the application event log.
In order to resolve this problem, you will need to use the aspnet_regiis.exe utility which shipped with the .NET Framework version 2.0. The following command should be run from a command prompt (change "Domain\User" to the credentials for the Security Manager service account"
aspnet_regiis -pa "NetIQ Security Manager" "Domain\User"
Note: This only applies to the central computer unless agent or central computer authentication is enable in SM 6.5. If authentication is enabled, then this problem can occur in the agent with event 21344 generated in the application event log.
Updating Data Access Server Credentials
Follow the steps in this section to update the credentials used by the Data Access Server on the central computer.
1. Start the Component Services administrative tool in the Administrative Tools folder of the Control Panel.
2. In the left pane, expand Component Services > Computers, and then click My Computer.
3. Expand .
COM+ Applications, and then click OnePointActiveOpsDAS.
4. On the Action menu, click Properties.
5. On the Identity tab, change the service credentials. If modifying the service account name, ensure you use the Domain\Account format.
6. Click OK.
7. On the Action menu, click Shut down.
Updating DCOM Credentials
The names of DCOM applications changed between Security Manager versions 5.0 and 5.1. Follow the steps for the version of Security Manager you have installed.
Updating DCOM Credentials on Security Manager version 5.1, 5.5, 5.6, and 6.0
Security Manager versions 5.1, 5.5 , 5.6, and 6.0 include the smconfiguredcom command, which you can use to update the service account credentials used by multiple DCOM applications. The smconfiguredcom command pulls the updated service account name you specified for the OnePointActiveOpsDAS COM application, and then applies the name and a password you specify to the DCOM credentials.
To update the DCOM credentials, in the \NetIQ Security Manager\OnePoint folder, enter the following command at the command prompt:
smconfiguredcom password
Where password is the new service account password.
Updating DCOM Credentials on Security Manager version 5.0
Depending on the version of Windows you have installed on the central computer, you can use native tools or the dcomcnfg utility to update the service account credentials used by DCOM applications for Security Manager version 5.0.
For more information about the dcomcnfg utility, see Microsoft Knowledge Base number 176799: "INFO: Using DCOM Config (DCOMCNFG.EXE) on Windows NT"
http://support.microsoft.com/support/kb/articles/Q176/7/99.ASP
To update DCOM credentials for Security Manager version 5.0:
1. If the computer is running Windows 2000, complete the following steps:
1. On the Start menu, click Run, type DCOMCNFG, and click OK.
2. On the Application tab, double-click AgentManager.
3. On the Identity tab, modify the credentials, and then click OK.
4. Repeat steps 2-3 for the OMWMIProvider application.
5. Click OK.
2. If the computer is running Windows 2003, complete the following steps:
1. Start the Component Services administrative tool in the Administrative Tools folder of the Control Panel.
2. In the left pane, expand Component Services > Computers > DCOM Config, and then click AgentManager.
3. On the Action menu, click Properties.
4. On the Identity tab, modify the credentials, and then click OK.
5. Repeat steps 2-4 for the OMWMIProvider application.
3. Start the Services administrative tool in the Administrative Tools folder of the Control Panel.
4. In the right pane, click Distributed Transaction Coordinator.
5. On the Action menu, click Restart.
Creating a Database Login
To create a new login for Security Manager 5.0 or 5.1:
If you created a new service account, follow these steps to update the database server and each log database computer. The database server hosts the OnePoint database. The log database computers host the log databases that Log Manager creates daily.
1. Log on to a computer with Microsoft SQL Server Enterprise Manager installed.
2. Start Enterprise Manager in the .
Microsoft SQL Server program folder.
3. If the database server is not listed, connect to the database server by completing the following steps:
1. In the left pane, expand the Microsoft SQL Servers > SQL Server Group .
2. On the Action menu, click New SQL Server Registration.
3. Follow the instructions in the wizard to add the database server.
4. In the left pane, expand the Microsoft SQL Servers folder and any subfolders until you click the database server.
5. Expand the Security folder, and then click Logins.
6. On the Action menu, click New Login.
7. On the General tab in the Name field, type the name of the account using the Domain\Account format.
8. On the Server Roles tab in the Server Roles list, select System Administrators.
9. Click OK.
10. Repeat Steps 3-9 for each log database computer.
To create a new login for Security Manager 5.5 or 5.6:
If you created a new service account, follow these steps to update the database server and each log database computer with the proper permissions.
1. Log on to a central computer with an account that is a member of the local Administrators group and a member of the Microsoft SQL Server sysadmin role on the database server.
2. Start Access Configuration in the NetIQ Security Manager program folder.
3. Under Security Manager Roles, select the OnePointOps System group.
4. Select the service account, and then click Repair.
5. Click OK.
6. Log on to a Monitor Console computer with an account that is a member of the OnePointOp ConfgAdms group and the Microsoft SQL Server sysadmin role on the log database computer.
7. In the left pane, click Security Manager Monitor Console.
8. In the right pane, click Launch Configuration Wizard.
9. Click Log Manager.
10. Click Configure Log Manager for Windows.
11. Click Configure Log Databases.
12. Select a log database computer, and then click Specify Database.
13. Click Yes.
14. Click OK. You do not need to modify anything on this window.
15. Repeat Steps 12 through 14 for each remaining log database computer.
16. Click Finish.
17. Click Close.
To create a new login for Security Manager 6.0:
If you created a new service account, follow these steps to update the database server computer with the proper permissions.
1. Log on to a central computer with an account that is a member of the local Administrators group and a member of the Microsoft SQL Server sysadmin role on the database server.
2. Start Access Configuration in the NetIQ Security Manager program folder.
3. Under Security Manager Roles, select the OnePointOps System group.
4. Select the service account, and then click Repair.
if you changed the service account or the password, follow these steps to update the reporting server (SM 6.0).
1. Log on to SQL server management studio | database engine
2. Go to the service account under Security | credentials, right click and choose properties.
3. Update the account and click okay.