none
Launching a Task Has Different Permissions RRS feed

  • Question

  • Hello,

    I am running SCOM 2012 R2 UR13.  I created a task in SCOM to enable folder auditing on a group of clients.  The task is a simple batch file that enables "Object Access" auditing using the auditpol command.  The other command is to enable auditing on a folder on the C: drive using the command SetACL.exe.  The batch file works when I am signed on as a domain account with Admin rights to the computer, but when I launch it through SCOM, SetACL fails with this error below.  The account I am using is the same account I use when I am physically at the computer:

    SetACL finished with error(s):
    SetACL error message: A privilege could not be enabled
    Operating system error message: Not all privileges or groups referenced are assigned to the caller.

    I disabled UAC on the clients, I made the account a member of "Backup Operators" so I can have the backup and restore files privileges.  What else do I need to have this executable run through a SCOM task?

    Friday, February 8, 2019 4:06 PM

Answers

  • Hello,

    I found out the problem.  I compared the UAC registry entries of a working agent, to one that fails, and I noticed the failed agent has one more entry.  The failed agent has the entry "FilterAdministratorToken" set to "0".  I changed it to "1", and I rebooted, then I was able to run the task.  Thank you for your help.

    • Marked as answer by jsetaro Tuesday, February 19, 2019 1:56 PM
    Tuesday, February 19, 2019 1:56 PM

All replies

  • Hi,

    If I understand correctly, we create an agent task with Command Line under Authoring, Management Pack Objects, Tasks. 



    Click an alert or object to see tasks for that alert or object. Click a task to run the task.



    Tasks use the default action account, unless we specify other credentials in this dialog box. For our problem, which one did we choose? Manually entering the credentials? If so, please use the predefined Run As account to see if it works.




    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, February 11, 2019 6:48 AM
  • Hello,

    I use the Run As account when I launch the task.  This user has Admin rights to the client.  This account also works when I am physically at the client, but not when I launch it from the task.

    Monday, February 11, 2019 2:02 PM
  • Hi,

    If we manually enter the credential (with which we physically logged on the client computer), as shown in the third picture above, does it work? This is to confirm which account the operation managers uses when running the task.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Tuesday, February 12, 2019 4:18 AM
  • Hello,

    If I enter a local Admin's credentials when launching the task, the task fails.  If I physically sign on to the computer as that Admin, then the batch file which I am trying to launch through a task works.

    Tuesday, February 12, 2019 2:51 PM
  • Hi,

    For this issue, I tried to replicate in the lab and it works. From the error message, it seems the task is invoked successfully. Maybe our problem is related to the batch file itself. Here's the steps I've performed:

    1, download the third party SetACL tool from https://helgeklein.com/download/
    2, extract the file in the target computer, create a New Folder and a batch file
    the batch file content:
    cd "D:\SetACL (executable version)\64 bit"
    d:
    SetACL.exe -on "D:\SetACL (executable version)\64 bit\New folder" -ot file -actn ace -ace "n:sc\alex;p:change"
    3, create a standard user in ADUC (dsa.msc), which is not a member of the local Administrators group
    4, create a task in operations manager console in Authoring pane
    5, in Monitoring Pane, locate the target computer and run the task and it succeeds

    Some screenshots for your reference:

    the tool folder



    create the task



    run the task with user test



    and it succeeds



    verify the permission has added



    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    • Proposed as answer by vrkumar01 Wednesday, February 13, 2019 10:00 AM
    Wednesday, February 13, 2019 8:38 AM
  • Hello,

    I downloaded the latest version of SetACL.exe, and this time it gave me the reason why it fails:

    Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted

    The batch file gives the user the "Take Ownership" privilege before SetACL kicks off, yet it gives me this error.

    Wednesday, February 13, 2019 3:21 PM
  • Hi,

    Thank you very much for the reply. Glad to know the progress about the problem.

    So, we have found it had nothing to do with the run as account of operations manager task, right? If the previous reply is helpful, you can mark it so that it will help others who are facing the same situation.

    In addition, for this problem, is there any other assistance we can provide?

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Thursday, February 14, 2019 7:53 AM
  • Hello,

    The problem is not resolved.  The problem is still that the task runs with no issues when I am physically at the client, but fails when I launch the SCOM task using the same credentials.  SCOM does not grant "Take Ownership" privileges to the task.

    Thursday, February 14, 2019 1:38 PM
  • Hi,

    If possible, could you share your batch file. We are not familar with the third-party tool SetACL, however, we can try the best to replicate it. After all, the following command works during our lab test.

    SetACL.exe -on "D:\SetACL (executable version)\64 bit\New folder" -ot file -actn ace -ace "n:sc\alex;p:change"

    If we run a operations manager agent task, a MonitoringHost process is created to launch the task using the credentials provided. After the task is finished, the process ends. We can track this in the task manager.



    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 18, 2019 4:15 AM
  • Hello,

    I found out the problem.  I compared the UAC registry entries of a working agent, to one that fails, and I noticed the failed agent has one more entry.  The failed agent has the entry "FilterAdministratorToken" set to "0".  I changed it to "1", and I rebooted, then I was able to run the task.  Thank you for your help.

    • Marked as answer by jsetaro Tuesday, February 19, 2019 1:56 PM
    Tuesday, February 19, 2019 1:56 PM