Powershell and BULTIN\admin question…..

[Bryan HeathParticipant]

I have some server admins that want to run PowerShell scripts for MM. They want to build this into scripts taking servers out of the f5 and so on. It would seem that this requires Operations Manager Admins rights to do so.

OPS Admins are also allowed to run “all tasks”. My boss wants me to ensure that TASKS against AD and SQL servers ETC are not able to be impacted by SCOM admins outside of their realm (Platform/App).

 I think I have been able to shutdown databases and so on with tasks as a SCOM admin role that is not a DBA.  I also noticed that Builtin Admin is in SCOM by default. Is that  built-in admin on the RMS? Should this be removed or does it have no impact on tasks?

I hope this makes sense.

Thanks,
Bryan

[Andreas ZuckerhutParticipant]

You don’t need SCOM Admin rights to run tasks. You can scope each server role you create to a group of servers, and you can handpick which tasks are available to that role.

[Bryan HeathParticipant]

Does that include powershell scripting to put servers in MM in the SCOM PS command promt? Get-Agent and so on?

[Bryan HeathParticipant]

The team wants a shared account that can run against the RMS and put servers in MM via script. My concern is with giving this shared login “all tasks” as a SCOM admin. Maybe I misunderstood that you need to be an admin to run scripts against the RMS. I have custom groups that I restrict task for various team members already. If PowerShell is granted to that group can they impact things outside their scope shutdown a database etc.

[Andreas ZuckerhutParticipant]

The SDK Service, which provides the connection to both console and shell, doesn’t differ between them. If you can connect using the console, you can connect using the shell.

In theory, when a user is scoped to a group of servers, he should only get the agents belonging to that group when he runs the get-agent command.

As for Maintenance Mode – if he has permission to do so in the console, he has permissions to do so in the shell.

What I forgot to mention is: You can only limit Agent Tasks (which run remotely), not Console Tasks (which run locally). So one might be able to launch a Console Task but is then denied because his user account doesn’t have permissions.

[Bryan HeathParticipant]

Thanks Andreas I will verify your suggestions

One last thing. Did you remove the BULTIN\Admin from the OPSMAN Admin group in the console? I am wondering if it is possible that someone could be elevated to SCOM admin if they are a local admin on the server. Perhaps I need further clarity for the purpose of this beyond the inital install.

[Bryan HeathParticipant]

Hmmmm I get the following as a user in a custom group despite being able to connect to the UI and put servers in MM.

Get-Agent : Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringEx

tion: The user does not have sufficient permission to perform the o

ation.

at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLaye

andleIndigoExceptions(Exception ex)

at Microsoft.EnterpriseManagement.DataAbstractionLayer.AdministrationOperatio

GetAgentManagedDevices(IList`1 ids, String criteriaXml, String languageCode)

at Microsoft.EnterpriseManagement.Administration.ManagementGroupAdministratio

etAgentManagedComputers(IList`1 computerIds)

at Microsoft.EnterpriseManagement.Administration.ManagementGroupAdministratio

etAllAgentManagedComputers()

at Microsoft.EnterpriseManagement.OperationsManager.ClientShell.GetAgentManag

omputerCmdlet.ProcessRecord()

At line:1 char:10

+ get-agent < <<<

+ CategoryInfo : InvalidOperation: (Microsoft.Enter…dComputerCmdl

:GetAgentManagedComputerCmdlet) [Get-Agent], UnauthorizedAccessMonitoringExce

tion

+ FullyQualifiedErrorId : ExecutionError,Microsoft.EnterpriseManagement.Oper

ionsManager.ClientShell.GetAgentManagedComputerCmdlet

[Andreas ZuckerhutParticipant]

I don’t wanna burn my fingers on that one… If I remember correctly, during setup you have to provide a group that is local administrator on the RMS which can of course be the local admin group itself. In my case it’s a domain group. I’d go check technet though on what to take care of in case you change the group there.

[Andreas ZuckerhutParticipant]

It could be that the Get-Agent command does something fancy. Verify the following:

In the console, go to discovered inventory view and change the class to Agent

In the shell, run this command: $Class = Get-MonitoringClass -name “Microsoft.SystemCenter.Agent”; $Class | Get-MonitoringObject

[Bryan HeathParticipant]

When I opened up the shell that command worked. So it looks like we may need to find power shell commands that do not require admin rights to achieve our goals of putting a server in MM. This is looking a little better now

[Andreas ZuckerhutParticipant]

That’s the thing with those cmdlets, but they can all be translated to “raw” SDK code – something I personally prefer as it’s faster in a lot of cases, especially with the Get-MonitoringObject command (which is terribly slow).

If you need help translating some of the cmdlets that don’t work you can message me on Skype. I already translated a lot of them as I had to make my SDK scripts compatible with both versions of SCOM, 2007 and 2012 and I wanted to move away from the cmdlets.

[Bryan HeathParticipant]

That sounds great. We don’t use skype at work. However I can use it on my cell phone at Starbucks (depending upon when we would shcedule this).

[gerasimhovhannisyanMember]

hello

I want to execute commands (such as ipconfig /flushdns ….) on my LAN computers with scom or sccm?

is it possible?

thanks

[Andreas ZuckerhutParticipant]

Sure, that’s actually a template. In the Operations Console\Authoring\Tasks, create a new Task and select Agent Task\Command line

[Bryan HeathParticipant]

Andreas as time permits we can use my lab to host demonstrations for topics like this on TeamViewer and we could record and publish the brain dumps. You could help us brown belts become black belts

[Author]

Posts