We will start by assign the Orchestrator Remote Users Group suitable DCOM permissions<\/p>\n
- \n
- On the Orchestrator Management Server, start Component Services from the start\u00c2\u00a0menu<\/li>\n
- In the Component Services console, expand Component Services, expand Computers and expand DCOM Config<\/li>\n
- In the list of DCOM applications scroll down and select omanagement. Right-click the omanagement DCOM application and select properties from the context meny
\n![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2012\/04\/20120409_01-300x194.jpg\" "\\"20120409_01\\"")
<\/li>\n - In the omanagement Properties window, click the Security tab<\/li>\n
- Click Edit in the Launch and Activation Permissions area, click Add and add the grp-sco-remoteusers security group from Active Directory. Assign the grp-sco-remoteusers\u00c2\u00a0security group Remote Launch and Remote Activiation permissions. Click OK<\/li>\n
- Click Edit in the Access Permissions area, click Add and add the grp-sco-remoteusers\u00c2\u00a0security group from Active Directory. Assign the grp-sco-remoteusers\u00c2\u00a0security group Remote Access and Local Access permissions. Click OK<\/li>\n
- In the Component Services console, right-click My Computer and select properties from the context menu<\/li>\n
- In the My Computer Properties box, select the COM Security tab<\/li>\n
- Click Edit Limits\u00e2\u20ac\u00a6 in the Access Permissions area. Click Add and add the grp-sco-remoteusers\u00c2\u00a0security group from Active Directory. Assign the grp-sco-remoteusers\u00c2\u00a0security group Remote Access permissions. Click OK<\/li>\n
- Click Edit Limits\u00e2\u20ac\u00a6 in the Launch and Activation Permissions area. Click Add and add the grp-sco-remoteusers\u00c2\u00a0security group from Active Directory. Assign the grp-sco-remoteusers\u00c2\u00a0security group Remote Launch and Remote Activation permissions. Click OK<\/li>\n
- Close the Component Services console 12.\u00c2\u00a0After all permissions are configured, on the Orchestrator Management server, start the Services console and restart the Orchestrator Management Service (ManagementService.exe ). If a user dont have correct DCOM permissions to access Orchestrator you will see a error message in the Runbook Designer console, like the one below<\/li>\n<\/ol>\n
![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2012\/04\/20120409_031-300x112.jpg\" "\\"20120409_03\\"")
<\/a> and on the Orchestrator management server you will see a event like this ![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2012\/04\/20120409_04-300x190.jpg\" "\\"20120409_04\\"")
<\/a><\/p>\nAll users that will work with the Orchestrator Runbook Designer console needs read permissions to the top level of the Runbooks folder navigation tree. To assign the grp-sco-remoteusers\u00c2\u00a0security group permissions to the root level follow these steps<\/p>\n
- \n
- Start the Orchestrator Runbook Designer console as an Orchestrator administrator<\/li>\n
- Right-click the Runbooks folder and select Permissions from the context menu<\/li>\n
- In the Permissions for Runbooks dialog box, click Add.. and add the grp-sco-remoteusers\u00c2\u00a0security group from Active Directory<\/li>\n
- In the Permissions for Runbooks dialog box, un-selected everything except Read as permissions for the grp-sco-remoteusers\u00c2\u00a0group<\/li>\n
- In the Permissions for Runbooks dialog box, click Advanced<\/li>\n
- In the Advanced Security Settings for Runbooks dialog box, select the grp-sco-remoteusers\u00c2\u00a0security group and click Edit\u00e2\u20ac\u00a6<\/li>\n
- In the Permissions Entry for Runbooks dialog box, change the Apply To drop-down menu to This object only<\/li>\n
- In the Permissions Entry for Runbooks dialog box, click OK<\/li>\n
- In the Advanced Security Settings for Runbooks dialog box, click OK<\/li>\n
- In the Permissions for Runbooks dialog box, click OK<\/li>\n<\/ol>\n
Depending on your environment the different teams need different access to runbook servers. To assign the grp-sco-remoteusers\u00c2\u00a0access to all Runbook Servers follows these steps:<\/p>\n
- \n
- Start the Orchestrator Runbook Designer console as an Orchestrator administrator<\/li>\n
- Right-click the Runbook Servers folder and select Permissions from the context menu<\/li>\n
- In the Permissions for Runbook Servers dialog box, click Add and add the grp-sco-remoteusers security group from Active Directory. Click OK<\/li>\n
- In the Permissions for Runbook Servers dialog box, un-select all permissions for the grp-sco-remoteusers group\u00c2\u00a0except Read. Click Ok<\/li>\n<\/ol>\n
Your different teams will also need access to Global Settings. To give the grp-sco-remoteusers\u00c2\u00a0security group permissions to list Global Settings follow these steps:<\/p>\n
- \n
- Start the Orchestrator Runbook Designer console as an Orchestrator administrator<\/li>\n
- Expand Global Settings, one by one, right-click Counters, Variables and Schedules. Select Permissions from the context menu<\/li>\n
- In the Permissions dialog box, click Add, add the grp-sco-remoteusers\u00c2\u00a0security group from Active Directory. Click OK<\/li>\n
- In the Permissions dialog box, select the grp-sco-remoteusers\u00c2\u00a0group and click Advanced<\/li>\n
- In the Advanced Security Settings dialog box, select the grp-sco-remoteusers\u00c2\u00a0security group and click Edit<\/li>\n
- In the Permission Entry dialog box, change Apply To to This object only, and select only List Contents and Read Properties permissions. Click OK<\/li>\n
- In the Advanced Security Settings dialog box, click OK 8. In the Permissions dialog box, click OK<\/li>\n<\/ol>\n
You have now configured the grp-sco-remoteusers\u00c2\u00a0security group with general permissions to remote connect to the Orchestrator management server with the Orchestrator Runbook Designer console. The security group doesn’t have access to anything in the Orchestrator Runbook Designer console (except Runbook Servers), when a user in this group click for example Variables an error like the own below will show.<\/p>\n
![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2012\/04\/20120409_02-300x143.jpg\" "\\"20120409_02\\"")
<\/a><\/p>\nThe next step is to configure permissions for the different teams, in this example the Service Manager team, group grp-sco-scsmteam. We will create a new Runbook folder where the Service Manager team can work with Runbooks.<\/p>\n
- \n
- Start the Orchestrator Runbook Designer console as an Orchestrator administrator<\/li>\n
- Right-click the Runbooks folder and select new folder<\/li>\n
- Name the folder Service Manager Team<\/li>\n
- Right-click the Service Manager Team folder and select Permissions from the context menu<\/li>\n
- In the Permissions for Service Manager Team dialog box, click Add and add the grp-sco-scsmteam\u00c2\u00a0security group from Active Directory. Click OK<\/li>\n<\/ol>\n\n
The Service Manager team need access to global settings too<\/p>\n
- \n
- Start the Orchestrator Runbook Designer console as an Orchestrator administrator. Navigate to Global Settings<\/li>\n
- Under Counters, Variables and Schedules create a folder and name it Service Manager Team<\/li>\n
- Right-click each new folder and select permissions from the context menu. Click Add and add the grp-sco-scsmteam\u00c2\u00a0security group from Active Directory. Click OK<\/li>\n<\/ol>\n\n
\u00c2\u00a0We have now created a runbook folder for the Service Manager team runbooks and then created one folder for each kind of global setting.\u00c2\u00a0The Service Manager team can now work with their\u00c2\u00a0own runbooks but cant see or modify any other runbooks or settings.<\/p>\n
One thing to think about, that could result in multiple Orchestrator environments, is that the settings that are under the Options menu will be shared with everyone running the Runbook Designer console. There is no easy way to limit access to for example the Active Directory connection or the Virtual Machine Manager connection. This is something to think about when doing the security design for Orchestrator.<\/p>\n
![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2012\/04\/20120409_05-246x300.jpg\" "\\"20120409_05\\"")
<\/a><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"In this post I will show you what you need to configure to allow engineers connect remote\u00c2\u00a0to the Orchestrator\u00c2\u00a0environment\u00c2\u00a0without Orchestrator administrator permissions. After Orchestrator installation we have one security group, the Orchestrator User Group. If your Orchestrator environment is in an Active Directory domain you should use an Active Directory security group as the Orchestrator … Continue reading
![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2012\/04\/20120409_031.jpg\" "\\"20120409_03\\"")
<\/a> and on the Orchestrator management server you will see a event like this ![\"\"](\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2012\/04\/20120409_04.jpg\" "\\"20120409_04\\"")
<\/a><\/p>\n