Home » Scripts » Run a task with another account

Contoso.se

Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP
MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
OMS
Inside the Microsoft Operations Management Suite

Run a task with another account

If operators needs to run a task that they normally don’t have permissions to run you can use run as accounts and profiles. I was trying that in Ops Mgr 2007 R2 this week.

In my first scenario I needed operators in the user profile Contoso Operators to run the computer management task against a number of machines. But the operators don’t have permissions enough on the target machines. So I created a account under run as accounts and configure a new run as profile. In the profile I specified the account and target a group. In that group I had added a couple of health service objects, as the computer management task are target to the health service class. This worked, but everything target to health service was affected by the new run as account. The result was a working task but a couple of new “run-as-profile-account” alerts in the console.

My second idea was to create a new management pack including a new class and discovery rules for something on all the needed machines. I built this in the R2 Authoring Console. There are some good info about author management packs at this page.

When the discovery was working I added a task to run the computer management console. I then created a new profile, selected the same account as in the first scenario but target only my new class. When a operator now runs the task, it is target to the new class, and the profile with a specified account is also target to this new class. The result is that a operator can run the computer management task, with the specified account, even if they dont have enought permissions on their logged on domain account.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.