1. Does the account need to exist? if so why?
If you only use automation principals to communicate w/ the server you can use 'chapw -d' to remove the account, otherwise it must exist for the User Principal Mapping: Impersonation and privilege mapping - BMC Server Automation 8.9 due to how the windows user impersonation works.
2. Should the password be managed under password management system?
Generally we don't recommend this because if the password gets changed incorrectly you will lock yourself out of your servers and need to either write some powershell or manually go fix them. 'chapw' has a '-r' (random) option to reset the password, or you can actually supply a password. chapw (and agentctl passwd if the rscd is down) is the only way to change the password. if you just change the password on the os, the agent won't work. some customers resolve the auditing issue by running chapw -r on a time interval and then run a compliance (or other) job that shows when the last time the password was changed. depending on the password management system - maybe you can have that fire off a job in bsa that changes the password based on its own rules.
3. Is there any security impact with this account.. even though it is not a member of any groups?
afaik, no. it's only used for the user impersonation through the rscd.
Thanks again Bill,
Just one last question:
Obviously the BladelogicRSCD account should exist but we have a few cases where it is in the Administrator group and on others it isn't.
Does it have to be in the Administrator group?
It should never be in the Administrators group.
If you have the rscd installed on a domain controller, i believe it will show up in domain users because a domain user has to be in a group. the local account on the server (member or standalone) should not be in any groups.