Ive been trying to get my lab set up and working for our security requirements.  We are going ot implement a MOM environment where ideally no one will log on as admin unless they are doing something major.  This means a number of things have to be scripted / poweshelled / SDK'd.

 

Because Push installs are out (needs admin logon rights) the agent will be installed in the build.  I can then use powershell to approve it.  There are a load of powershell commands with MOM and im just getting used to a few of them.  For agent approval you can use get-agent, get-agentpendingaction and approve-agentpendingaction to approve it.  this is great.  it means we can script this up and you would have to get admin clearance to run this cmdlet but it means we can keep the agent in the build but do not have to weaken the security of mom (i.e. we can leave the "pending agents must be approved option on" rather than allowing the "all and sundry can connect to mom no problem" option).

 

So with that bit sorted out the next question is agent config and currently this looks like its going to be suprisingly difficult.  When you install an agent manually you specify some settings which are along the lines of "USE_MANUALLY_SPECIFIED_SETTINGS" or "USE_AD_SETTINGS" (they arent the exact switches but if you look in the product help they give you the detail).  The problem is if you use AD settings, which you certainly should do as it makes your agents dynamic in terms of learning about new Management Servers and the like it will pick up the default Action Account (the one you configure when you install the Management Server) and there doesnt seem at the moment to be a simple way of changing this.  We looked in powershell but the property is read only (!):

 

>(Get-Agent  | where-object { $_.ComputerName -eq 'BMCDFC' } ).ActionAccountIdentity

SYSTEM

>(Get-Agent  | where-object { $_.ComputerName -eq 'BMCDFC' } ).ActionAccountIdentity = 'bmcdfc0\Bob'

"ActionAccountIdentity" is a ReadOnly property.