When installing Microsoft System Center Service Manager, there are a lot of things to consider to make sure the install goes well and will be easy to modify in the weeks, months and years to come.
In order to maintain a secure, stable and maintainable SCSM environment, it’s important that all required user accounts are set up with individual service accounts, long secure passwords, and only the necessary rights to get the job done.
Below is a checklist worksheet of the accounts and groups that would be needed for a typical installation of both SCSM and Cireson products. Each person installing SCSM and/or Cireson products may have a different setup, different app and a different number of environments, but this checklist should cover all the items needed (just remove the ones that are not relevant to your environment).
The environment column is for recording what environment the account is for. It is best practice to have a different service account for the same function across dev, test and production environments to ensure that changing the password in one does not impact the other environments.
| Generic Name | New Account Name | Environment | Account Permissions & Use |
|---|---|---|---|
| SCSM Service Account | Prod Test Dev | Service Account (also used to install SM)
|
|
| Workflow Account | Prod Test Dev | Workflow Account with email address
|
|
| SQL Reporting Account | Prod Test Dev | Reporting Account (SSRS)
|
|
| Analysis Reporting Account | Prod Test Dev | Analysis Account (SSAS)
|
|
| SQL Service Account | Prod Test Dev | SQL Service Account, only if SQL does not already exist. Otherwise, you can use current SQL service account.
|
|
| Exchange Connector Account | Prod Test Dev | Service account used to communicate with MS Exchange to read and send e-mails.
|
|
| AD Connector Account | Prod Test Dev | AD Connector Account
|
|
| SCCM Connector Account | Prod Test Dev | SCCM Connector Account
|
|
| SCORCH Connector Account | Prod Test Dev | SCOrch Connector Account
|
|
| SCOM Connector Account | Prod Test Dev | SCOM Connector Account
|
|
| SCORCH Service Account | Prod Test Dev | SCOrch service account
|
|
| AppPool Account | Prod Test Dev | Cireson Portal App Pool account
(Note: Default database names may be different in specific environments) |
|
| Cache Builder Account | Prod Test Dev | Cireson CacheBuilder account is responsible for keeping the SCSM and Cireson databases in sync.
(Note: Default database names may be different in specific environments) |
|
| Portal Installer Account | **This is the admin user doing the install** | Prod Test Dev | The admin account that will run the portal install on the SCSM Server.
|
* Ensure GPO is not going to pull users or groups off computers
* Ensure the service accounts are not in OUs or Groups that will restrict “Logon as a service”
* Ensure the service accounts are not in OUs or Groups that will restrict “Batch logon”
* Ensure the passwords will not be changed
* Ensure the passwords do not contain $ or ‘
There are also several user groups that are required for each of the items below:
| Generic Name | Group Name | Group Details | Group Permissions & Use |
|---|---|---|---|
| All SCSM Administrators | Group that is used to contain all administrators of SCSM. This can include service and user accounts as well as computer accounts if needed. |
|
|
| All SCSM Analysts | Group that is used to contain all users that are going to be editing Work Items. |
|
|
| All SCSM Report Users | Group that is used to contain all users that require access to view SCSM Reports within the SCSM Console and SSRS. |
|
|
| All Analysts for each support group | scsm_SupportGroupName | Each support group requires a separate group to contain users to assign to each group within the SCSM system. |
|
*Can use company naming convention for prefix e.g. scsm_ scsm. scsm-