1 minute read

Last week I deployed my scom agents on my domain controllers. The installation was succesful and of course I checked the agent proxing checkbox in the administration console.


After 30 minutes I checked the status of my agent and it was grayed out!! So I looked at the event log of my dc and saw this error


Event Type: Error

Event Source: HealthService

Event Category: Health Service

Event ID: 7017

Date: 4/07/2008

Time: 11:49:36

User: N/A



The health service blocked access to the windows credential NT AUTHORITYSYSTEM because it is not authorized on management group dgz. You can run the HSLockdown tool to change which credentials are authorized.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


On computers requiring high security, for example a domain controller, you may need to deny certain identities access to rules, tasks, and monitors that might jeopardize the security of your server

So, you have to run the HSlockdown tool to change the credentials that are authorized:


When you run HSLockdown [ManagementGroupName] /L – List Accounts/groups you can see that the system account is denied! Thats why my agents are greyed out!


Next run HSLockdown [ManagementGroupName] /R “NT AUTHORITYSYSTEM”

Restart your healthservice and you’re done!!


Alexandre Verkinderen


Leave a comment