locked
VBScript Access Denied RRS feed

  • Question

  • Hi there! I have a VBScript that can check the services on other machines but when I run it for myself, it's working. However, when SCOM runs it, I'm getting access denied. I wanted to know if it is possible to push an access or something like that to the monitor, or SCOM itself so it can run VBScripts under certain user account...

    The script I am using is:

    Set oComp = GetObject(tsCompA)
    Set oServiceA = oComp.GetObject("Service", tsService)

    I don't want to put the user account directly to the script because other people will see the passwords...

    Thanks!

    Thursday, October 14, 2010 6:47 PM

Answers

  • Hi,

    You can create a RunAs profile, associate your rule\monitor with this profile in your management pack and then populate a profile with account(s). You can use this example(profile and association with monitor is bold):

     <ManagementPack ContentReadable="true" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
      <Manifest>
        <Identity>
          <ID>Demo</ID>
          <Version>1.0.0.1</Version>
        </Identity>
        <Name>Demo</Name>
        <References>
          <Reference Alias="SC">
            <ID>Microsoft.SystemCenter.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="Windows">
            <ID>Microsoft.Windows.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="Health">
            <ID>System.Health.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="System">
            <ID>System.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
        </References>
      </Manifest>
      <TypeDefinitions>
        <SecureReferences>
          <SecureReference ID="Demo.SecureReference" Accessibility="Public" Context="SC!Microsoft.SystemCenter.Agent" />
        </SecureReferences>
      </TypeDefinitions>
      <Monitoring>
        <Monitors>
          <UnitMonitor ID="Demo.Script.Monitor" Accessibility="Internal" Enabled="true" Target="Windows!Microsoft.Windows.Computer" ParentMonitorID="Health!System.Health.AvailabilityState" Remotable="true" Priority="Normal" RunAs="Demo.SecureReference" TypeID="Windows!Microsoft.Windows.TimedScript.TwoStateMonitorType" ConfirmDelivery="false">
            <Category>AvailabilityHealth</Category>
            <OperationalStates>
              <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success" />
              <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning" />
            </OperationalStates>
            <Configuration>
              <IntervalSeconds>15</IntervalSeconds>
              <SyncTime />
              <ScriptName>MyScript.vbs</ScriptName>
              <Arguments />
              <ScriptBody><![CDATA[
                    ' Enter a script that outputs a property bag
                    ' Example VBScript:
                    '
                    ' Dim oAPI, oBag
                    ' Set oAPI = CreateObject("MOM.ScriptAPI")
                    ' Set oBag = oAPI.CreatePropertyBag()
                    ' Call oBag.AddValue("Status","OK")
                    ' Call oAPI.Return(oBag)
                  ]]></ScriptBody>
              <SecureInput />
              <TimeoutSeconds>60</TimeoutSeconds>
              <ErrorExpression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery Type="String">Property[@Name='State']</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value Type="String">Bad</Value>
                  </ValueExpression>
                </SimpleExpression>
              </ErrorExpression>
              <SuccessExpression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery Type="String">Property[@Name='State']</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value Type="String">Good</Value>
                  </ValueExpression>
                </SimpleExpression>
              </SuccessExpression>
            </Configuration>
          </UnitMonitor>
        </Monitors>
      </Monitoring>
      <LanguagePacks>
           <LanguagePack ID="ENU" IsDefault="true">
          <DisplayStrings>
            <DisplayString ElementID="Demo">
              <Name>Demo</Name>
            </DisplayString>
            <DisplayString ElementID="Demo.Script.Monitor">
              <Name>Demo monitor</Name>
            </DisplayString>
            <DisplayString ElementID="Demo.SecureReference">
              <Name>Demo Profile</Name>
              <Description />
            </DisplayString>
          </DisplayStrings>
        </LanguagePack>
      </LanguagePacks>
    </ManagementPack>

     


    http://OpsMgr.ru/
    • Proposed as answer by Vivian Xing Friday, October 15, 2010 8:13 AM
    • Marked as answer by Zenar Friday, October 15, 2010 12:53 PM
    Thursday, October 14, 2010 7:20 PM

All replies

  • Hi,

    You can create a RunAs profile, associate your rule\monitor with this profile in your management pack and then populate a profile with account(s). You can use this example(profile and association with monitor is bold):

     <ManagementPack ContentReadable="true" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
      <Manifest>
        <Identity>
          <ID>Demo</ID>
          <Version>1.0.0.1</Version>
        </Identity>
        <Name>Demo</Name>
        <References>
          <Reference Alias="SC">
            <ID>Microsoft.SystemCenter.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="Windows">
            <ID>Microsoft.Windows.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="Health">
            <ID>System.Health.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="System">
            <ID>System.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
        </References>
      </Manifest>
      <TypeDefinitions>
        <SecureReferences>
          <SecureReference ID="Demo.SecureReference" Accessibility="Public" Context="SC!Microsoft.SystemCenter.Agent" />
        </SecureReferences>
      </TypeDefinitions>
      <Monitoring>
        <Monitors>
          <UnitMonitor ID="Demo.Script.Monitor" Accessibility="Internal" Enabled="true" Target="Windows!Microsoft.Windows.Computer" ParentMonitorID="Health!System.Health.AvailabilityState" Remotable="true" Priority="Normal" RunAs="Demo.SecureReference" TypeID="Windows!Microsoft.Windows.TimedScript.TwoStateMonitorType" ConfirmDelivery="false">
            <Category>AvailabilityHealth</Category>
            <OperationalStates>
              <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success" />
              <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning" />
            </OperationalStates>
            <Configuration>
              <IntervalSeconds>15</IntervalSeconds>
              <SyncTime />
              <ScriptName>MyScript.vbs</ScriptName>
              <Arguments />
              <ScriptBody><![CDATA[
                    ' Enter a script that outputs a property bag
                    ' Example VBScript:
                    '
                    ' Dim oAPI, oBag
                    ' Set oAPI = CreateObject("MOM.ScriptAPI")
                    ' Set oBag = oAPI.CreatePropertyBag()
                    ' Call oBag.AddValue("Status","OK")
                    ' Call oAPI.Return(oBag)
                  ]]></ScriptBody>
              <SecureInput />
              <TimeoutSeconds>60</TimeoutSeconds>
              <ErrorExpression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery Type="String">Property[@Name='State']</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value Type="String">Bad</Value>
                  </ValueExpression>
                </SimpleExpression>
              </ErrorExpression>
              <SuccessExpression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery Type="String">Property[@Name='State']</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value Type="String">Good</Value>
                  </ValueExpression>
                </SimpleExpression>
              </SuccessExpression>
            </Configuration>
          </UnitMonitor>
        </Monitors>
      </Monitoring>
      <LanguagePacks>
           <LanguagePack ID="ENU" IsDefault="true">
          <DisplayStrings>
            <DisplayString ElementID="Demo">
              <Name>Demo</Name>
            </DisplayString>
            <DisplayString ElementID="Demo.Script.Monitor">
              <Name>Demo monitor</Name>
            </DisplayString>
            <DisplayString ElementID="Demo.SecureReference">
              <Name>Demo Profile</Name>
              <Description />
            </DisplayString>
          </DisplayStrings>
        </LanguagePack>
      </LanguagePacks>
    </ManagementPack>

     


    http://OpsMgr.ru/
    • Proposed as answer by Vivian Xing Friday, October 15, 2010 8:13 AM
    • Marked as answer by Zenar Friday, October 15, 2010 12:53 PM
    Thursday, October 14, 2010 7:20 PM
  • See Alex's detailed reply.  This is by design - if the agent is running with the localsystem default permissions and you have not added specific domain credentials to your management pack via a run-as-profile, then any workflow that attempts to access off-host resources will always fail.  The local system account is sandboxed and is never allowed to call over a network by windows.
    Microsoft Corporation
    Friday, October 15, 2010 1:22 AM
  • Yep I see that and now it's working great :-D

    Thanks a lot Alexey :-)

    Friday, October 15, 2010 12:55 PM