locked
Exchange 2007 MP Imported - Then Powershell Script Failing to Run RRS feed

  • Question

  • Hi All,

     

    Just checking to see if anyone know why this Powershell script is failing to run after checking in the Exchange 2007 MP 6.0.7602.0 and what the fix is. It references my SCOM Management Server Action Account as not having sufficient permission to perform the operation, but I cannot tell if the script is running against the SCOM Server or against other PCs?

     

    On the SCOM Server, the account is a member of the local administrators group and with no restrictions. When the error was generated, there were no other servers being monitored by SCOM. (Still in the early phase of implementing SCOM)

     

    This is what is being logged: (Items in red were replaced to hide specific details)

     

    System.Management.Automation.MethodInvocationException: Exception calling "Connect" with "1" argument(s): "The user DOMAIN\SCOM Management Account does not have sufficient permission to perform the operation."
    At line:64 char:77
    + $managementGroup = [Microsoft.EnterpriseManagement.ManagementGroup]::Connect( <<<< "localhost")
    at System.Management.Automation.DotNetAdapter.AuxiliarMethodInvoke(Object target, MethodBase method, Object[] arguments, MethodInformation methodInformation, Object[] originalArguments)
    at System.Management.Automation.DotNetAdapter.MethodInvokeDotNet(String methodName, Object target, MethodBase[] methods, MethodInformation[] methodInformation, String[] methodDefinitions, Object[] arguments)
    at System.Management.Automation.DotNetAdapter.MethodInvoke(PSMethod method, Object[] arguments)
    at System.Management.Automation.Adapter.BaseMethodInvoke(PSMethod method, Object[] arguments)
    at System.Management.Automation.ParserOps.CallMethod(Token token, Object target, String methodName, Object[] paramArray, Boolean callStatic, PSMethodInfo targetMethod, Object valueToSet)
    at System.Management.Automation.Parser.MethodCallNode.InvokeMethod(Token NodeToken, Object originalResult, Boolean staticMember, Object[] paramArray, List`1 typeConstraint, PSMethodInfo& targetMethod)
    at System.Management.Automation.Parser.MethodCallNode.Execute(Array input, Pipe outputPipe)
    at System.Management.Automation.Parser.AssignmentStatementNode.Execute(Array input, Pipe outputPipe)
    at System.Management.Automation.Parser.StatementListNode.Execute(Array input, Pipe outputPipe, ArrayList& resultList)

    Script Name: DiscoverTargetRelationship

    One or more workflows were affected by this.

    Workflow name: Microsoft.Exchange2007.Rms.TargetRelationship.Discovery

    Instance name:
    SCOMServer

    Instance ID: {CC254FFA-A7B1-36E5-331A-4C9FEA19C54F}

    Management group:
    MGMT GROUP

     

    Is the Powershell script requiring full administrators access to all servers or just the Exchange Servers via the Management Server Action account? Since I didn't have any Exchange Servers enabled yet at the time, not sure what servers the script would be attempting to run against. As far as I've seen in the documentation, a Low Privilege Account should suffice, but just wondering if I'm doing something wrong here.

     

    Many thanks in advance!

     

    Ed

    Monday, January 4, 2010 11:50 PM

Answers

  •    You can look in Operations Manager Console, Administration, Security, User Roles, you can add the account to the Read Only Operators group explicitly and that should be enough permissions.  You can tell it is failing because the error is being generated when the connection to the management group is done.   You can mimic the actions by doing the following:
      1) Open Power Shell Console as the default action account, not the Operations manager but the default console
      then run the following commands in the power shell
        [Reflection.Assembly]::Load("Microsoft.EnterpriseManagement.OperationsManager, Version=6.0.4900.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35")
        [Reflection.Assembly]::Load("Microsoft.EnterpriseManagement.OperationsManager.Common, Version=6.0.4900.0,Culture=neutral, PublicKeyToken=31bf3856ad364e35")
        $managementGroup = [Microsoft.EnterpriseManagement.ManagementGroup]::Connect("localhost")

    Those are the steps the agent is taking when attempting to create the target relationships.


    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    • Marked as answer by VictorySabre Wednesday, January 6, 2010 1:19 AM
    Tuesday, January 5, 2010 11:16 PM

All replies

  • The workflow runs on the Root Management Server, and connects to the Management Group.  This means the account needs to be a local administrator of the Root Management Server and also needs permissions to read from the Management Group (Read Only Permissions in the Management Group).
    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    • Proposed as answer by S. Halsey Tuesday, January 5, 2010 6:12 PM
    Tuesday, January 5, 2010 6:12 PM
  • That particular SCOM Management account being flagged as not having permissions to run the script is already a member of the local Administrators security group on the RMS server and is assigned to the Default Action Account profile.

    Does it need to be a member of the domain SCOM Administrators security group defined during the installation of SCOM? (That domain security group is assigned to the Operations Manager Administrators user role on SCOM.)

    How do I check to see if that account has Read Only Permissions to the management group?

    Thanks!

    Ed
    Tuesday, January 5, 2010 9:00 PM
  •    You can look in Operations Manager Console, Administration, Security, User Roles, you can add the account to the Read Only Operators group explicitly and that should be enough permissions.  You can tell it is failing because the error is being generated when the connection to the management group is done.   You can mimic the actions by doing the following:
      1) Open Power Shell Console as the default action account, not the Operations manager but the default console
      then run the following commands in the power shell
        [Reflection.Assembly]::Load("Microsoft.EnterpriseManagement.OperationsManager, Version=6.0.4900.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35")
        [Reflection.Assembly]::Load("Microsoft.EnterpriseManagement.OperationsManager.Common, Version=6.0.4900.0,Culture=neutral, PublicKeyToken=31bf3856ad364e35")
        $managementGroup = [Microsoft.EnterpriseManagement.ManagementGroup]::Connect("localhost")

    Those are the steps the agent is taking when attempting to create the target relationships.


    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    • Marked as answer by VictorySabre Wednesday, January 6, 2010 1:19 AM
    Tuesday, January 5, 2010 11:16 PM
  • Many thanks! I ran the test as you've mentioned and I got the error. After I put the default action account into the read-only operators user role and re-ran the commands in PowerShell, the commands ran successfully!
    Wednesday, January 6, 2010 1:20 AM