Run a task with another account

If operators needs to run a task that they normally don’t have permissions to run you can use run as accounts and profiles. I was trying that in Ops Mgr 2007 R2 this week.

In my first scenario I needed operators in the user profile Contoso Operators to run the computer management task against a number of machines. But the operators don’t have permissions enough on the target machines. So I created a account under run as accounts and configure a new run as profile. In the profile I specified the account and target a group. In that group I had added a couple of health service objects, as the computer management task are target to the health service class. This worked, but everything target to health service was affected by the new run as account. The result was a working task but a couple of new “run-as-profile-account” alerts in the console.

My second idea was to create a new management pack including a new class and discovery rules for something on all the needed machines. I built this in the R2 Authoring Console. There are some good info about author management packs at this page.

When the discovery was working I added a task to run the computer management console. I then created a new profile, selected the same account as in the first scenario but target only my new class. When a operator now runs the task, it is target to the new class, and the profile with a specified account is also target to this new class. The result is that a operator can run the computer management task, with the specified account, even if they dont have enought permissions on their logged on domain account.

About

Microsoft

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.