First published on TECHNET on Apr 07, 2006
I hear reports quite often of people having trouble with MOM agents that get stopped or disabled by unwitting or mischievous server administrators. MOM administrators have to respond to missing heartbeat alerts and start up the MOM service using the update agent settings task or worse, logging into the box and starting up the service manually.
You can put an end to all that using Group Policy! Buy your AD administrator buddy lunch one day and ask him if he will create a simple Group Policy Object for you that will lock the MOM service down to a specific set of people which doesn't necessarily have to include local admins on the box. :)
Here is how you do it:
1) Log into a domain controller that has the MOM agent installed on it.
2) Run mmc at the Run prompt
3) Open the Add/Remove Snap-in dialog (File --> Add/Remove Snap-in)
4) In the Add/Remove Snap-in dialog click Add... and choose 'Group Policy Object Editor' and click Add.
5) In the Select Group Policy Object dialog, click Browse... and select the OU, Site, or Domain that you want to target the policy at.
6) Either select an existing Group Policy Object that you want to modify or create a new one specifically for this by clicking on the New button.
7) Click OK Click Finish. Click Close. Click OK
8) Expand the tree as follows: Computer Configuration --> Windows Settings --> Security Settings --> System Services
9) In the list of services in the results pane, right click on the MOM service and choose Properties.
10) In the properties dialog, check the 'Define this policy setting' checkbox.
11) Select Automatic startup mode
12) Click Edit Security...
13) In the Security for MOM Service dialog lock down the access to the service however you like. You can even remove the local admins group. You can go so far as to not even allow them to see it! Make sure you set it up so that you still have access to see and manage the service in case you need to.
14) Click OK. Click OK.
15) Wait for the next group policy update on the computers in the target scope that you created. If you want to force it immediately on a computer to test it out you can run gpupdate /force at a command prompt.
16) Repeat if necessary for other sites, domains, OUs.
17) Stand up, flex your muscles, and say 'How do you like me now?!'