Home » Microsoft Operations Manager 2005 » Run tasks with extended permissions

Contoso.se

Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP
MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
OMS
Inside the Microsoft Operations Management Suite

Run tasks with extended permissions

Tasks is programs that you have access to directly from Operators Console. It is basic commands like ping but also more advanced commands for Active Directory troubleshooting. After you import more management packs you will get more tasks. You can also create your own tasks in Administrator console, management packs and tasks.

 When you run a task from Operators console it runs only the current user permissions. Often the operator have very restricted permissions. But there is always a more trusted group of operators with a little bit more permissions, they use to have a “admin” account too, to do some basic administered tasks.  Unfortunately you cannot use the non-admin account to run operators console and the “little-admin” account to run tasks, at least not with basic MOM functions.

If your operators have one regular account named Kalle and one named kalle-admin you can change the command line for tasks to this

cmd /C "runas.exe /noprofile /user:%username%-admin@domain.com "mmc compmgmt.msc -s /computer:"$TargetComputer$""

Then the problem will be run as a user named kalle-admin (if you are login as kalle) and you will then be prompt to input password.

But if you need to change both login and password it is a little more complicated. You then will need a script that first ask for username and password, and then it starts the software with those credentials. This script will do that for you

strUserName = InputBox(“Please input your administration username?”, “UserName”)
strComputer = Wscript.Arguments(0)
dim OShell
Set objShell = Wscript.CreateObject(“WScript.Shell”)
objshell.run “runas.exe /noprofile /user:” & strUserName & ” ” & Chr(34) & “mmc compmgmt.msc /s /computer:” &strComputer & ” ” & Chr(34)
 


To run this you will have to change the command line to scriptname.vbs $Computer Name$


1 Comment

Comments are closed.