Within SCOM 2012 RunAs accounts and profiles are used to control the credentials that are used to perform different monitoring of different applications or different environments.  The number of RunAs Accounts can grow very quickly, and be used with many different RunAs profile, which can start to get difficult to administer and troubleshoot should an issue occur.

A good example of issues that can occur was documented by Marnix here, http://thoughtsonopsmgr.blogspot.co.uk/2013/05/getting-rid-of-nagging-eventids-7000.html, and as usual it is a very good post on the cause and resolution of the issue.  In his case, he had an issue where a RunAs account had it’s Distribution configured to “Less secure”, which meant the credentials within the RunAs account tried to authenticate on every monitored computer, and causing subsequently causing errors when it failed to authenticate.  The fix is to change the Distribution of the RunAs account to “More secure” and only distribute the credentials to the computers that require it.

It sounds easy… just change the Distribution settings of the RunAs account causing the issue, right???  No, not normally.  In many SCOM environments there are many RunAs accounts, and usually the naming convention of the RunAs account will not include the username of the account that (in this example) is failing to log on.  This means that you have to go through each RunAs account to find the username that is causing you an issue, and then change the Distribution to more secure, but to do this you need to know what computers the credentials do need to be distributed to.  To find this out, you need to know which RunAs profiles the RunAs account is linked to, which could mean even more manual work with going through every single RunAs profile.

This all sounds a bit time consuming, but there is a little, almost hidden, feature in SCOM to help you a little bit.  When opening the properties of a RunAs account and selecting the Distribution tab, there is a line of text near the bottom of the window that asks “Where is this credential used?”.




The little line of blue text suggests that if you click it, it would take you to a web page telling you about RunAs accounts, as that’s what happens in many other places, however if you do click this you have a list of RunAs profiles listed that the RunAs account is linked to!!




Although just a little tip, it can be massively time consuming in trying to understand where a RunAs account needs to be distributed to.