When installing Microsoft System Center Service Manager, there are a lot of things to consider to make sure the install goes well and will be easy to modify in the weeks, months and years to come. 

In order to maintain a secure, stable and maintainable SCSM environment, it’s important that all required user accounts are set up with individual service accounts, long secure passwords, and only the necessary rights to get the job done.

Below is a checklist worksheet of the accounts and groups that would be needed for a typical installation of both SCSM and Cireson products. Each person installing SCSM and/or Cireson products may have a different setup, different app and a different number of environments, but this checklist should cover all the items needed (just remove the ones that are not relevant to your environment).

The environment column is for recording what environment the account is for. It is best practice to have a different service account for the same function across dev, test and production environments to ensure that changing the password in one does not impact the other environments. 

 

Generic NameNew Account Name EnvironmentAccount Permissions & Use
SCSM Service Account Prod Test Dev Service Account (also used to install SM) 

  • Place in SCSM_Admins group 

  • Read rights to SCCM database if not using connector accounts (see below) 

  • Read rights to AD if not using connector accounts (see below) 

  • Add as Remote Desktop User for all servers 

  • Needs log on local rights to servers 

Workflow Account Prod Test Dev Workflow Account with email address 

  • Place in SCSM_Admins group 

  • Verify time zone associated with this user 

  • Needs log on local rights to servers 

SQL Reporting Account Prod Test Dev Reporting Account (SSRS) 

  • Will be entered during SQL and SM Install 

Analysis Reporting Account Prod Test Dev Analysis Account (SSAS) 

  • Will be entered during SQL and SM Install 

SQL Service Account Prod Test Dev SQL Service Account, only if SQL does not already exist. Otherwise, you can use current SQL service account. 

  • Place in scsm_Admins group 

  • Used during SQL install 

  • Needs log on local rights to servers 

Exchange Connector Account Prod Test DevService account used to communicate with MS Exchange to read and send e-mails. 

  • Create an email account (mailbox) in Exchange for this account. Just use the default email address  

  • Place in scsm_Admins group 

  • Verify time zone associated with this user 

  • Create Exchange Rule that does not allow Auto Replies to go to this email account 

  • Give SCSM administrators ownership rights over this email account, and have them add the mailbox to their Outlook locally (give rights to regular user accountsnot admin accounts) 

  • Ensure it has a (spam) account for whatever system filters incoming emails 

  • Needs log on local rights to servers 

AD Connector Account Prod Test DevAD Connector Account 

  • Needs read rights to Active Directory 

SCCM  Connector Account Prod Test DevSCCM Connector Account 

  • Needs read rights to SCCM SQL database server and database 

SCORCH Connector Account Prod Test DevSCOrch Connector Account 

  • Needs read rights to SCOrch 

SCOM Connector Account Prod Test DevSCOM Connector Account 

  • Needs Advanced Operator rights in SCOM 

SCORCH Service Account Prod Test DevSCOrch service account 

  • No special rights required. 

AppPool Account Prod Test DevCireson Portal App Pool account 

  • Needs to be a local administrator on Portal server 

  • Needs to be a member of the Service Manager Administrator role 

  • Needs to be a SysAdmin on the following databases 

  • ServiceManager 

  • ServiceManagement. 

  • Analytics. 


(Note: Default database names may be different in specific environments) 
Cache Builder Account Prod Test DevCireson CacheBuilder account is responsible for keeping the SCSM and Cireson databases in sync. 

  • Needs to be a local administrator on Portal server. 

  • Needs to be a member of the Service Manager Administrator role. 

  • Needs to be a dbo on the following databases: 

  • ServiceManager. 

  • ServiceManagement. 

  • Analytics. 


(Note: Default database names may be different in specific environments) 
Portal Installer Account **This is the admin user doing the install** Prod Test DevThe admin account that will run the portal install on the SCSM Server. 

  • Needs to be a local administrator on the Portal Server. 

  • Needs to be a member of the Service Manager Administrator role. 

  • Needs to be Sysadmin on the SQL Instance that the portal will be installed in to. 

 

* Ensure GPO is not going to pull users or groups off computers 
* Ensure the service accounts are not in OUs or Groups that will restrict “Logon as a service” 
* Ensure the service accounts are not in OUs or Groups that will restrict “Batch logon” 
* Ensure the passwords will not be changed 
* Ensure the passwords do not contain $ or   

There are also several user groups that are required for each of the items below: 

 

Generic Name Group Name Group Details Group Permissions & Use
All SCSM Administrators Group that is used to contain all administrators of SCSM. This can include service and user accounts as well as computer accounts if needed.

  • Place in administrators' group on all servers 

  • This group of users must be in the same domain as Service Manager. Users from any other domain—even child domains—are not supported. 

All SCSM Analysts Group that is used to contain all users that are going to be editing Work Items.

  • Used for SM Security Roles and Cireson Apps 

All SCSM Report Users Group that is used to contain all users that require access to view SCSM Reports within the SCSM Console and SSRS.

  • Used to control access to SSRS reports within SM 

All Analysts for each support group scsm_SupportGroupName Each support group requires a separate group to contain users to assign to each group within the SCSM system.

  • Will discuss names during the planning phase, after initial server installs 

  • Will hide all from Global Address List (GAL) 

 

*Can use company naming convention for prefix  e.g. scsm_   scsm.  scsm-