locked
Transient "Run As Account does not exist on the target system or does not have enough permissions" Alerts RRS feed

  • Question

  • Hi!

    There are a number of threads on "Run As Account does not exist on the target system or does not have enough permissions" which end up in long and interesting discussions on SQL Run-as rights.

    But, does anyone see this happen infrequently on servers.

    There seem to be some correlation between utilization and these alerts.

    Which leads me to believe that the Alert and , to a lesser extent, the event that triggers it, is misleading.

    Could it be a time-out issue? The default (not overridable) in the script(s) is 30s.

    (I'm way over my head trying to analyze the error handling in the script, in particular where the number 4001 comes from).

    /Roger


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, May 12, 2011 11:09 AM

Answers

  • Hi

    I have seen this happen when a database (or databases) on a SQL Server is \ are set to autoclose - this happens most frequently with SQL Express (where autoclose is a default setting). It seems the script tries to get access to the database but because it is closed, database access fails.

    But resource issues will always be a potential problem - one way to check this is to personalise the view to include the repeat count and see how frequent the issue is although you might already have done this as you have noticed a correlation already and I recognise that you are an experienced OpsMgr user and frequent forum contributor.

    I don't have access to a system at the moment - how long is the script? Is it possible to post it up here?

    Cheers

    Graham

     


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, May 12, 2011 11:53 AM

All replies

  • Hi

    I have seen this happen when a database (or databases) on a SQL Server is \ are set to autoclose - this happens most frequently with SQL Express (where autoclose is a default setting). It seems the script tries to get access to the database but because it is closed, database access fails.

    But resource issues will always be a potential problem - one way to check this is to personalise the view to include the repeat count and see how frequent the issue is although you might already have done this as you have noticed a correlation already and I recognise that you are an experienced OpsMgr user and frequent forum contributor.

    I don't have access to a system at the moment - how long is the script? Is it possible to post it up here?

    Cheers

    Graham

     


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, May 12, 2011 11:53 AM
  • Thanks Graham!

    Great suggestion! We have very few repeats, one or two then the issue goes away.

    Actually, it's a number of scripts, used in a number of monitors/rules (both 2005 and 2008 affected).

    You can export and analyze them at your own leisure, if you have the time :)(I don't)

    GetSQL2005DBFreeSpace.vbs

    GetSQL2005DBFilesFreeSpace.vbs

    DiscoverSQL2005Files.js

    DiscoverSQL2005FileGroups.js

    GetSQL2005DBFileGroupFreeSpace.vbs

    GetSQL2008DBFileGroupFreeSpace.vbs


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, May 12, 2011 12:38 PM
  • Err.  Back to the guide.  The run-as account permissions required were redesigned in the SQL 2008 R2 pack so that not every monitor requires DBO permissions.  Some still do however.  For other versions, the run-as account requires DBO permissions and typically will not work well with localsystem as the default action account.  The guide makes the recommended setup pretty clear.
    Microsoft Corporation
    Thursday, May 12, 2011 4:00 PM
  •  For other versions, the run-as account requires DBO permissions and typically will not work well with localsystem as the default action account.  The guide makes the recommended setup pretty clear.

    Clear?

    From the guide:

    1) The following procedure describes the steps needed to configure low-privilege Discovery, Monitoring, and Action for version 6.1.400.00 of the SQL Server Management Pack. This low-privilege configuration is only supported for non-clustered SQL Server environments. It is not guaranteed to work for previously-released management packs.

    So at least I assume this will work for all SQL management packs with version 6.1.400.00, not only the R2 version. And the guide does not say you need DBO rights for the non R2 versions, with the exception if you need to run corrective actions (and this also includes the R2 version).

     

    2a) This low-privilege configuration is only supported for non-clusterd SQL Server environments.

    2b) If the Default Action Account Run As profile for cluster nodes is associated with Local System or with another account that has administrator permissions for the cluster, then no additional associations are required.

    Can you tell me now how to get a good working monitoring setup for a SQL Cluster, since you tell us it won't work well with local system as the action account. I am a bit confused here.......

     

    So this is how I read it:

    low-privilege configuration for a complete working management pack (non-cluster): give the action acount dbo rights on every database.

    low-privilege configuration for a complete working management pack (cluster): give the action account dbo rights on every database and full admin rights on the cluster

    If you don't need corrective actions, you can limit the action account to view rights and SQLAgentReaderRole (which in turn is very powerfull, much more than just reading :)), but it still needs full admin rights on the cluster in case you are monitoring a cluster.

    If I read it right, I would always go for the local system account. So when it get's comprimised, it is limited to a single SQL server only, not your entire installed SQL farm.

     

    Now back to real life: Having 40 customers (all in non-trusted seperate domains) and 402 SQL servers being monitored, how did Microsoft envision this? At best we should create 40 accounts (one for each customer). Just getting them created and keeping them working with all different security policies, is a nightmare.

    Don't get met wrong, I don't mind running monitoring with low privileged accounts. But working well with the local system account (the default action account) should at least be the starting point for every management pack.


    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    Friday, May 13, 2011 7:51 AM
  • Well, I was only trying to get a feel if more than us where seeing this (one or two scripts failing, the back to ok again).

    I have not ruled out config.errs on our part but with over a 1000 sqls, moving away from the default AA (Local System, assigned necessary SQL rights/permissions) is a major undertaking.

    The autoclose lead from Graham is also interesting.

    Thanks

    /Roger


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, May 13, 2011 9:08 AM
  • Well, I was only trying to get a feel if more than us where seeing this (one or two scripts failing, the back to ok again).


    Some discussions tend to explode. But then again. It is a discussion forum :) And the more we learn the better we will be able support the MS products.

    And to give you some feeling, we don't see this (unless the agent really doesn't have the correct permission) or the service is shutting down or otherwise denying access to the databases. And yes we only use the LocalSystem account.


    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    Friday, May 13, 2011 9:18 AM
  • Have to admit that I do see this from time to time and if you observe that the errors \ alerts are not occuring on every iteration of the rule then it suggests it isn't (always) a permissions issue.

    Resource (timeouts) are certainly very possible and if the database that is listed in the error is not master then check the actual database properties:

    - autoclose

    - single user mode

    - offline

    Have fun

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Friday, May 13, 2011 9:33 AM
  • Graham! Unfortunately, this mainly concerns Master (although the occasional other db is involved too).

    Marc, discussions are always fun :)

    /Roger


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, May 13, 2011 11:50 AM