Powershell and BULTIN\admin question…..

Forum: Operations Manager
Viewing 15 posts - 1 through 15 (of 15 total)
  • #91863
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    I have some server admins that want to run PowerShell scripts for MM. They want to build this into scripts taking servers out of the f5 and so on. It would seem that this requires Operations Manager Admins rights to do so.

    OPS Admins are also allowed to run “all tasks”. My boss wants me to ensure that TASKS against AD and SQL servers ETC are not able to be impacted by SCOM admins outside of their realm (Platform/App).

     I think I have been able to shutdown databases and so on with tasks as a SCOM admin role that is not a DBA.  I also noticed that Builtin Admin is in SCOM by default. Is that  built-in admin on the RMS? Should this be removed or does it have no impact on tasks?

    I hope this makes sense.

    Thanks,
    Bryan

    #91865
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    You don’t need SCOM Admin rights to run tasks. You can scope each server role you create to a group of servers, and you can handpick which tasks are available to that role.

    #91866
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    Does that include powershell scripting to put servers in MM in the SCOM PS command promt? Get-Agent and so on?

    #91867
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    The team wants a shared account that can run against the RMS and put servers in MM via script. My concern is with giving this shared login “all tasks” as a SCOM admin. Maybe I misunderstood that you need to be an admin to run scripts against the RMS. I have custom groups that I restrict task for various team members already. If PowerShell is granted to that group can they impact things outside their scope shutdown a database etc.

    #91871
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    The SDK Service, which provides the connection to both console and shell, doesn’t differ between them. If you can connect using the console, you can connect using the shell.

    In theory, when a user is scoped to a group of servers, he should only get the agents belonging to that group when he runs the get-agent command.

    As for Maintenance Mode – if he has permission to do so in the console, he has permissions to do so in the shell.

    What I forgot to mention is: You can only limit Agent Tasks (which run remotely), not Console Tasks (which run locally). So one might be able to launch a Console Task but is then denied because his user account doesn’t have permissions.

    #91876
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    Thanks Andreas I will verify your suggestions :)

    One last thing. Did you remove the BULTIN\Admin from the OPSMAN Admin group in the console? I am wondering if it is possible that someone could be elevated to SCOM admin if they are a local admin on the server. Perhaps I need further clarity for the purpose of this beyond the inital install.

    #91877
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    Hmmmm I get the following as a user in a custom group despite being able to connect to the UI and put servers in MM.

    Get-Agent : Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringEx

    tion: The user does not have sufficient permission to perform the o

    ation.

    at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLaye

    andleIndigoExceptions(Exception ex)

    at Microsoft.EnterpriseManagement.DataAbstractionLayer.AdministrationOperatio

    GetAgentManagedDevices(IList1 ids, String criteriaXml, String languageCode)

    at Microsoft.EnterpriseManagement.Administration.ManagementGroupAdministratio

    etAgentManagedComputers(IList1 computerIds)

    at Microsoft.EnterpriseManagement.Administration.ManagementGroupAdministratio

    etAllAgentManagedComputers()

    at Microsoft.EnterpriseManagement.OperationsManager.ClientShell.GetAgentManag

    omputerCmdlet.ProcessRecord()

    At line:1 char:10

    + get-agent < <<<

    + CategoryInfo : InvalidOperation: (Microsoft.Enter…dComputerCmdl

    :GetAgentManagedComputerCmdlet) [Get-Agent], UnauthorizedAccessMonitoringExce

    tion

    + FullyQualifiedErrorId : ExecutionError,Microsoft.EnterpriseManagement.Oper

    ionsManager.ClientShell.GetAgentManagedComputerCmdlet

    #91878
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    I don’t wanna burn my fingers on that one… If I remember correctly, during setup you have to provide a group that is local administrator on the RMS which can of course be the local admin group itself. In my case it’s a domain group. I’d go check technet though on what to take care of in case you change the group there.

    #91879
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    It could be that the Get-Agent command does something fancy. Verify the following:

    In the console, go to discovered inventory view and change the class to Agent

    In the shell, run this command: $Class = Get-MonitoringClass -name “Microsoft.SystemCenter.Agent”; $Class | Get-MonitoringObject

    #91880
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    When I opened up the shell that command worked. So it looks like we may need to find power shell commands that do not require admin rights to achieve our goals of putting a server in MM. This is looking a little better now :)

    #91881
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    That’s the thing with those cmdlets, but they can all be translated to “raw” SDK code – something I personally prefer as it’s faster in a lot of cases, especially with the Get-MonitoringObject command (which is terribly slow).

    If you need help translating some of the cmdlets that don’t work you can message me on Skype. I already translated a lot of them as I had to make my SDK scripts compatible with both versions of SCOM, 2007 and 2012 and I wanted to move away from the cmdlets.

    #91901
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    That sounds great. We don’t use skype at work. However I can use it on my cell phone at Starbucks (depending upon when we would shcedule this).

    #91912

    hello

    I want to execute commands (such as ipconfig /flushdns ….) on my LAN computers with scom or sccm?

    is it possible?

    thanks

    #91915
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    Sure, that’s actually a template. In the Operations Console\Authoring\Tasks, create a new Task and select Agent Task\Command line

    #111408
    Profile photo of Bryan Heath
    Bryan Heath
    Participant

    Andreas as time permits we can use my lab to host demonstrations for topics like this on TeamViewer and we could record and publish the brain dumps. You could help us brown belts become black belts :)

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.