Menu Close

How to add accounts from another domain into a SCOM User Role

Normally – when you have a trust with a remote account domain, and you want to add users from the rote domain to SCOM, things go perfectly.

However, if the user account in the remote domain uses a different UPN name than the SAM account name – the SCOM UI block’s it.

 

For instance, I have a SCOM infrastructure in OPSMGR.NET (OPSMGR), but want to grant users in DMZ.CORP (DMZ) domain access.  This works fine, if the UPN domain name for my user is the same as the SAM account name.

 

In the image – I am trying to add DMZ\sqlmondmz account to my SQL Ops Team role:

 

image

 

When I check names – I can see the UPN domain is different, than the actual DNS domain name of DMZ.CORP:

 

image

 

This results in the following error:

 

Date: 7/19/2016 2:25:18 PM
Application: Operations Manager
Application Version: 7.1.10226.1177
Severity: Error
Message:

Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user sqlmondmz@zzz.com associated with the user role. Error code 1332. Check your active directory configuration.
   at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message)
   at Microsoft.EnterpriseManagement.Common.Internal.SecurityConfigurationServiceProxy.UpsertUserRolesV2(ICollection`1 urUpdateResults, ICollection`1 urScopeUpdateResults, ICollection`1 urViewScopeUpdateResults, ICollection`1 urTaskScopeUpdateResults, ICollection`1 urConsoleTaskScopeUpdateResults, ICollection`1 urTemplateScopeUpdateResults, ICollection`1 urDashboardReferenceScopeUpdateResults, ICollection`1 urUserUpdateResults)
   at Microsoft.EnterpriseManagement.SecurityConfigurationManagement.UpdateUserRoles(ICollection`1 userRoles)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

 

The workaround?

A common previous workaround to this was to add these accounts a Global Group, then add the global group to the role.  This workaround did well when you needed to add a large number of users to an unscoped Operator role.  However, if you have a lot of different user roles with customized scopes, you will constantly be creating groups.  Another alternative?

 

Use PowerShell to add these users to the role:

 

$Role = Get-SCOMUserRole -Name “SQL Ops Team”
$Role | Set-SCOMUserRole -User ($Role.Users + “DMZ\sqlmondmz”)

 

This doesn’t have the same UI restriction:

 

image

2 Comments

  1. Karen

    Hi Sir Kevin,

    I am having issue when trying to add user or AD Group in any of the user roles in one of my Operations Console. But in other Operations Console it is working. I have an admin access in the console but still can’t add it.

    Also tried using Powershell command aside from adding it thru the Console, but still no luck:
    $Role = Get-SCOMUserRole -Name “OperationsManagerReadOnlyOperators”
    $Role | Set-SCOMUserRole -User ($Role.Users + “domain\sampleUser”)

    Have you encountered this before?

Leave a Reply

Your email address will not be published.