none
Unable to run powershell script against SCOM in Runbook RRS feed

  • Question

  • Hi

    I have a script which runs fine in Powershell ISE but when i try to run them in .Net script in Orchestrator runbook i get the below error.

    $Username = "Domain\UserName"
    $Password = 'Password'
    $MS = 'SCOM-RMS'
    
    $securePassword = ConvertTo-SecureString $Password -AsPlainText -Force 
    $credential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $Username,$securePassword
    
    #Import OM Module
    Import-Module OperationsManager;
    New-SCOMManagementGroupConnection -ComputerName $MS -Credential $credential
    
    $class = get-scomclass -name:’Microsoft.Windows.Computer’
    $computer = get-scomclassinstance -class $class | where{$_.name -eq ‘Servername.domain.com’}
    $start = get-date
    $end = $start.addminutes(30)
    
    try
    {
    start-scommaintenancemode -Instance:$computer -EndTime:$end -Comment:”Requested by JD” -Reason PlannedOther
    }
    catch 
    {
    $ErrorMessage = $_.Exception.Message
    }
    $ErrorMessage

    The user does not have sufficient permission to perform the operation


    Justin

    Tuesday, October 15, 2019 11:15 AM

Answers

All replies

  • Hi Justin,

    what roles is your user member of?

    You need to assign permissions in SCOM in order to be able to execute this. Here a reference:

    OPERATIONS SHELL–USING DIFFERENT CREDENTIALS

    Please make sure the user who you are using has the permissions needed in SCOM (Add it to Administrators for testing purposes).

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Tuesday, October 15, 2019 12:07 PM
  • Hi Stoyan

    The account i am using has been added to the "Advanced Operator Role" in SCOM. I can ask the SCOM team to help my service account added to the Administrator group but I am sure this would not be allowed in the Prod environment. Is there a Microsoft site which says the level of access required for Orchestrator to run activities on SCOM?


    Justin

    Tuesday, October 15, 2019 12:38 PM
  • Hi,

    if I understand right you use the script with the same Credentials on PowerShell ISE (?). So I guess it's not a problem of the permissions.

    Perhaps is caused by Security Settings (for example TLS).

    Test the Script in PowerShell ISE and 32-bit PowerShell ISE (x86) on a Runbook Server.

    Regards,

    Stefan


    More and news about System Center at stillcool.de and sc-orchestartor.eu .



    Tuesday, October 15, 2019 12:44 PM
    Answerer
  • Hi Justin,

    sure there is:

    Operations associated with user role profiles

    but I am not that quite sutre if this will help you determine the level of permissions you need. I think when trying to put an object in Maintenance Mode you need to have permisions on a group that actually contains this object. 

    Please try to arrange a test, after adding the accout to the SCOM Admins, just to see if this works afterwards (I mean your .NET Script activity). If it does, then it is clear that "Advanced Operator" is not enough, if it doesn't - then we need to think of what might be the cause here.

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Tuesday, October 15, 2019 12:45 PM
  • Hi Stefan

    Thank you. You are correct. I am getting the same error while trying to run them in Powershell ISE(x86) as you have mentioned this could be a security setting issue.

    Is there any setting changes that has to be done from MS Orchestrator end.

    I was told by SCOM admin that the TLS setting has been configured in SCOM. Can this be verified remotely?


    Justin

    Tuesday, October 15, 2019 1:15 PM
  • As Stefan had mentioned I am using the same account to run Powershell ISE and the runbook server works. If it works with ISE it should ideally work while being run using MS Orchestrator. Stefan suggests that this could be a TLS setting issue. Any advise.

    Justin

    Tuesday, October 15, 2019 1:18 PM
  • Hi,

    does the script also work in  32-bit PowerShell ISE (x86) ?

    Regards,

    Stefan


    More and news about System Center at stillcool.de and sc-orchestartor.eu .

    Tuesday, October 15, 2019 1:31 PM
    Answerer
  • As Stefan had mentioned I am using the same account to run Powershell ISE and the runbook server works. If it works with ISE it should ideally work while being run using MS Orchestrator. Stefan suggests that this could be a TLS setting issue. Any advise.

    Justin

    Hi Justin,

    apologies, totally missed the statement that is working fine in ISE. No doubt, if this is the case it has nothing to do with SCOM permissions. You might want to check for Software Restriction Policies, not quite sure if the message will then be the same. 

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov


    Tuesday, October 15, 2019 1:33 PM
  • No. The script is not working when i run it on 32-bit PowerShell ISE (x86). I get the same error as i get while running from .Net script in Orchestrator

    Justin

    Tuesday, October 15, 2019 1:50 PM
  • Hi,

    if it working on the Orchestrator Runbook Server(s) with 64bit PowerShell but not with 32bit PowerShell. Compare the values in this Registry Keys:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] with [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\.NETFramework\v4.0.30319] with [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

    Regards,

    Stefan


    More and news about System Center at stillcool.de and sc-orchestartor.eu .

    Tuesday, October 15, 2019 1:52 PM
    Answerer
  • Hi stefan

    I had compared both the values and found that the SystemDefaultTlsVersions is set to 0 for [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] and [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] and 

    SystemDefaultTlsVersions is set to 1 for

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] and 

    [HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\.NETFramework\v4.0.30319].

    Can i change the settings on 32 bit to SystemDefaultTlsVersions 1?


    Justin

    Tuesday, October 15, 2019 2:06 PM
  • Hi Justin,

    Which version and build of Orchestrator and SCOM are you using?

    If this is a TLS issue, you could have a look at the following links:

    Set up TLS for Orchestrator
    https://docs.microsoft.com/en-us/system-center/orchestrator/install-enable-tls?view=sc-orch-2016

    TLS 1.2 Protocol Support Deployment Guide for System Center 2016
    https://support.microsoft.com/en-us/help/4051111/tls-1-2-protocol-support-deployment-guide-for-system-center-2016


    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Marked as answer by JS2206 Thursday, October 17, 2019 9:18 AM
    Tuesday, October 15, 2019 2:26 PM
  • Yes, I would change it for 32 bit to  SystemDefaultTlsVersions 1.

    A reboot would be necessary after that to take the changes affect.

    Regards,

    Stefan


    More and news about System Center at stillcool.de and sc-orchestartor.eu .

    • Marked as answer by JS2206 Thursday, October 17, 2019 9:01 AM
    Tuesday, October 15, 2019 2:52 PM
    Answerer
  • Thanks Stefan. It worked after changing the SystemDefaultTlsversion to 1.

    Justin

    Thursday, October 17, 2019 9:02 AM
  • Thanks Leon

    Justin

    Thursday, October 17, 2019 9:18 AM