In this blogpost, I’ll run through an example of how to associate a Run as Account to script monitor.
In SCOM, the way to delegate permissions is by setting a profile and an account that is linked to that profile, we will create the profile in the Management Pack and then attach the profile to the monitoring workflow and configure the account in the profile.
The account in Run As account has special permissions for query database for example.
1. Write the PS / VB Script you with to use for monitoring e.g. Monitor SQL server database query [An example is in the Management Pack attached to this article]
2. Debug custom scripts on target server (debug vb script with Cscript command line tool) with an account that has permissions, and make sure the result is fine.
3. Add new Unit Monitor, then add the script and their properties expressions.
4. Create new Run as Profile in this monitor management pack.
5. Export the Management pack contain the Script and the new run as profile.
6. Open the MP with your preferred editor.
7. Copy “RunAsProfile_ID” from Secure Reference section:
8. Add RunAs parameter to unit monitor line:
Unit monitor without RunAs parameter:
<UnitMonitor ID=”Unit.Monitor” Accessibility=”Internal” Enabled=”true” Target=”Windows!Microsoft.Windows.Computer” ParentMonitorID=”Health!System.Health.AvailabilityState” Remotable=”true” Priority=”Normal” TypeID=”Custom.MyPSTransactionMonitorType.UnitMonitorType” ConfirmDelivery=”false”>
Unit Monitor with RunAs parameter:
<UnitMonitor ID=”Unit.Monitor” Accessibility=”Internal” Enabled=”true” Target=”Windows!Microsoft.Windows.Computer” ParentMonitorID=”Health!System.Health.AvailabilityState” Remotable=”true” Priority=”Normal” TypeID=”Custom.MyPSTransactionMonitorType.UnitMonitorType” ConfirmDelivery=”false” RunAs=” RunAsProfile_1905759fda4f4af2b2a8346fa2d7610a”>
9. Save and import the updated Management Pack.
10. Add ‘Run as Account’ to this ‘Run as Profile’.
To ensure that the process is run with the defined account:
- Add “write to log” function that write the account name running this script in Agent Operations Manager event log:
Add “Log script event” to VB Script monitor:
Set objNet = CreateObject(“WScript.NetWork”)
Call objAPI.LogScriptEvent(“Script_Monitor.vbs”,5555,2, objNet.UserName)
Add “Write event log” function to Powershell script monitor:
Write-EventLog -LogName “Operations manager” -Source “Health Service Script” -EventId 5555 -Message “ Script running under account – $(whoami)”
- Open task manager in the target server and verify you have one “monitoring host” process is running under this user account.