none
"Insufficient privileges"

    Question

  • Good day,

    Is there a way to determine the members of the OpsMgr Administrators role by querying the OperationsManager DB?  I setup a virtual OpsMgr environment for testing purposes, and when I attempt to connect using the Console, I always get the "Insufficient privileges" error message. :(

    Thanks,

    Larry
    Friday, September 04, 2009 8:39 PM

Answers

All replies

  • I'm assuming you don't know the OpsMgr Administrators group name?  It's not SQL, but you can get the group name by using the OpsMgr Command Shell and the 'get-userrole' cmlet.  Once you have the name you can use ADUC to see the members.

    Of course, you have to have rights to connect via the command shell...

    Friday, September 04, 2009 10:49 PM
  • Hi,
    User roles in SCOM and their scoping are all stored within the MomAuth.xml file which is located at %Program Files%\System Center Operations Manager 2007\SDK Service State, take a look at http://www.aquilaweb.com/blog/index.php?itemid=43
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Saturday, September 05, 2009 5:51 AM
  • Gentlemen,

    OK, here are some details, following your posts (much appreciated BTW):

    - I am unable to run 'get-userrole', as I do not have the appropriate permissions to run the commandlet:

           Connecting to Operations Manager Management Server 'SCOM-RMS.fabrikam.com'.
           New-ManagementGroupConnection : The user FABRIKAM\Administrator does not have sufficient permission to perform the operation.
           At C:\Program Files\System Center Operations Manager 2007\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.
           Functions.ps1:113 char:60
           +                 $connection = New-ManagementGroupConnection  <<<< -ConnectionString: $server -ErrorAction:SilentlyContinue;

           cmdlet Get-Credential at command pipeline position 1
           Supply values for the following parameters:
           Credential

    - The link provided by Anders was quite useful.  From it I was able to extract the following from the defective test MG:

    <AzScope Guid="83578c1e-004b-4123-b2ab-7348ab4212e9" Name="597f9d98-356f-4186-8712-4f020f2d98b4" Description="">
      <AzRole Guid="6953f184-bdd4-4733-b50b-c671d6f2031b" Name="597f9d98-356f-4186-8712-4f020f2d98b4" Description="OperationsManagerAdministrators">
        <TaskLink>b764ca38-9e77-4825-ae50-9a7ea4c1a6e1</TaskLink>
        <Member>S-1-5-18</Member>
        <Member>S-1-5-21-4267073931-2454615951-838300332-1117</Member>
      </AzRole>
    </AzScope>

    "S-1-5-18" is the well-known SID for the 'Local System' account
    "S-1-5-21-4267073931-2454615951-838300332-1117" is a SID that is nowhere to be found anywhere in the domain or on the RMS!?!?!

       SELECT *
       FROM Win32_Group
       WHERE SID = 'S-1-5-21-4267073931-2454615951-838300332-1117'

    What is weird is that I am 100% certain that I selected the 'FABRIKAM\MOM Administrators' global group (i.e. SID = "S-1-5-21-4267073931-2454615951-838300332-1126") as the OpsMgr Administration group!?!?

    With this knowledge, I updated the XML file with the proper SID.  Despite the change, I am still getting the "Insufficient privileges' error message, no matter what account I use (i.e. memeber of 'MOM Administrators', local Administrator, domain Administrator, or SDK).

    Thanks,

    Larry

    Tuesday, September 08, 2009 2:10 PM
  • Can you check the SPN on your SDK account?

     

    SDK Account

     

     

    To list the SPN:

    Setspn -l <domain\accountname>

     

    Example:

    Setspn -l LAB\momsdk

     


    Rob Kuehfus | System Center Operations Manager | Setup and Deployment Program Manager
    Tuesday, September 08, 2009 10:34 PM
  • Certainly,

    Here is the output:

         C:\>setspn -l FABRIKAM\OM_SDK
         Registered ServicePrincipalNames for CN=OM_SDK,CN=Users,DC=fabrikam,DC=com:
             MSOMSdkSvc/SCOM-RMS
             MSOMSdkSvc/SCOM-RMS.fabrikam.com

    Also, the local Administrators group of the SCOM-RMS server has the following members:

       Administrator
       FABRIKAM\Domain Admins
       FABRIKAM\MOM Administrators
       FABRIKAM\om_dra
       FABRIKAM\om_dwwa
       FABRIKAM\om_msaa
       FABRIKAM\om_sdk

    Furthermore, we have another administrative account that we would like to use, that is a member of the 'FABRIKAM\MOM Administrators' global group.

    Larry
    Wednesday, September 09, 2009 1:43 PM
  • Sorry, this did not help.  :(


    Rob Kuehfus | System Center Operations Manager | Setup and Deployment Program Manager
    Wednesday, September 09, 2009 5:54 PM
  • I am having the same problem, have done all of the steps in this post...

    Larry - Did you get this resolved?  If so, what was the resolution?

    Friday, December 18, 2009 8:53 AM
  • Was the 'FABRIKAM\MOM Administrators' deleted and remade after you've added it to the scom admin group? That would at least explain why the guid is missing from the domain and 'FABRIKAM\MOM Administrators' has a different guid.

    you could create a ps script to add the correct group to the scom admins and schedule it under the system account.


    This would add the domain admin to the group (well i think it does :)) and would allow you to access the console again.

    $userRole = Get-UserRole |

    where {$_.Name –eq ‘OperationsManagerAdministrators’}

     

    $userRole.Users.Add(‘fabrikam\administrator’)

     

    $userRole.Update()


    Rob Korving
    http://jama00.wordpress.com/
    Sunday, December 20, 2009 12:29 PM