System Center, Operations Manager 2012, SCOM & More › Forums › Operations Manager › Powershell and BULTIN\admin question…..
February 22, 2012 at 8:39 am #91863
I have some server admins that want to run PowerShell scripts for MM. They want to build this into scripts taking servers out of the f5 and so on. It would seem that this requires Operations Manager Admins rights to do so.
OPS Admins are also allowed to run “all tasks”. My boss wants me to ensure that TASKS against AD and SQL servers ETC are not able to be impacted by SCOM admins outside of their realm (Platform/App).
I think I have been able to shutdown databases and so on with tasks as a SCOM admin role that is not a DBA. I also noticed that Builtin Admin is in SCOM by default. Is that built-in admin on the RMS? Should this be removed or does it have no impact on tasks?
I hope this makes sense.
BryanFebruary 22, 2012 at 9:00 am #91865
You don’t need SCOM Admin rights to run tasks. You can scope each server role you create to a group of servers, and you can handpick which tasks are available to that role.February 22, 2012 at 9:05 am #91866
Does that include powershell scripting to put servers in MM in the SCOM PS command promt? Get-Agent and so on?February 22, 2012 at 9:11 am #91867
The team wants a shared account that can run against the RMS and put servers in MM via script. My concern is with giving this shared login “all tasks” as a SCOM admin. Maybe I misunderstood that you need to be an admin to run scripts against the RMS. I have custom groups that I restrict task for various team members already. If PowerShell is granted to that group can they impact things outside their scope shutdown a database etc.February 22, 2012 at 9:29 am #91871
The SDK Service, which provides the connection to both console and shell, doesn’t differ between them. If you can connect using the console, you can connect using the shell.
In theory, when a user is scoped to a group of servers, he should only get the agents belonging to that group when he runs the get-agent command.
As for Maintenance Mode – if he has permission to do so in the console, he has permissions to do so in the shell.
What I forgot to mention is: You can only limit Agent Tasks (which run remotely), not Console Tasks (which run locally). So one might be able to launch a Console Task but is then denied because his user account doesn’t have permissions.February 22, 2012 at 10:22 am #91876
Thanks Andreas I will verify your suggestions
One last thing. Did you remove the BULTIN\Admin from the OPSMAN Admin group in the console? I am wondering if it is possible that someone could be elevated to SCOM admin if they are a local admin on the server. Perhaps I need further clarity for the purpose of this beyond the inital install.February 22, 2012 at 10:43 am #91877
Hmmmm I get the following as a user in a custom group despite being able to connect to the UI and put servers in MM.
Get-Agent : Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringEx
tion: The user does not have sufficient permission to perform the o
1 ids, String criteriaXml, String languageCode)
At line:1 char:10
+ get-agent < <<<
+ CategoryInfo : InvalidOperation: (Microsoft.Enter…dComputerCmdl
:GetAgentManagedComputerCmdlet) [Get-Agent], UnauthorizedAccessMonitoringExce
+ FullyQualifiedErrorId : ExecutionError,Microsoft.EnterpriseManagement.Oper
ionsManager.ClientShell.GetAgentManagedComputerCmdletFebruary 22, 2012 at 11:00 am #91878
I don’t wanna burn my fingers on that one… If I remember correctly, during setup you have to provide a group that is local administrator on the RMS which can of course be the local admin group itself. In my case it’s a domain group. I’d go check technet though on what to take care of in case you change the group there.February 22, 2012 at 11:04 am #91879
It could be that the Get-Agent command does something fancy. Verify the following:
In the console, go to discovered inventory view and change the class to Agent
In the shell, run this command: $Class = Get-MonitoringClass -name “Microsoft.SystemCenter.Agent”; $Class | Get-MonitoringObjectFebruary 22, 2012 at 12:11 pm #91880
When I opened up the shell that command worked. So it looks like we may need to find power shell commands that do not require admin rights to achieve our goals of putting a server in MM. This is looking a little better nowFebruary 22, 2012 at 12:22 pm #91881
That’s the thing with those cmdlets, but they can all be translated to “raw” SDK code – something I personally prefer as it’s faster in a lot of cases, especially with the Get-MonitoringObject command (which is terribly slow).
If you need help translating some of the cmdlets that don’t work you can message me on Skype. I already translated a lot of them as I had to make my SDK scripts compatible with both versions of SCOM, 2007 and 2012 and I wanted to move away from the cmdlets.February 23, 2012 at 9:10 am #91901
That sounds great. We don’t use skype at work. However I can use it on my cell phone at Starbucks (depending upon when we would shcedule this).February 24, 2012 at 12:01 am #91912
I want to execute commands (such as ipconfig /flushdns ….) on my LAN computers with scom or sccm?
is it possible?
thanksFebruary 24, 2012 at 6:42 am #91915
Sure, that’s actually a template. In the Operations Console\Authoring\Tasks, create a new Task and select Agent Task\Command lineMarch 8, 2013 at 4:00 pm #111408
Andreas as time permits we can use my lab to host demonstrations for topics like this on TeamViewer and we could record and publish the brain dumps. You could help us brown belts become black belts
You must be logged in to reply to this topic.