Menu Close

SCOM 2019 Log On As A Service Management Pack Helper

One of the changes in SCOM 2019 is that RunAs accounts now require Log on as a service, instead of Log on locally, which I previously discussed here:

https://kevinholman.com/2019/03/14/security-changes-in-scom-2019-log-on-as-a-service/

If you deploy SCOM 2019 agents, and use RunAs accounts, you might see these events:

Log Name:      Operations Manager
Source:        HealthService
Event ID:      7002
Description:
The Health Service could not log on the RunAs account OPSMGR\testrunas for management group SC2019 because it has not been granted the “Log on as a service” right.

That would generate an alert

image

Normally, you’d have to manually add this user right on each affected machine, or use GPO.  The challenge with Group Policy, is that could wipe out any previous customizations you or other software applications have made here. 

I created a management pack which will help automate this change.  The MP will watch for the events about RunAs account logon failures, and if they contain an error about Log on As a Service, a script will run, and add the account to enable that user right.

A single alert will be generated each time the event is detected, and the script runs attempting to set this policy:

image

An Event 7002 was detected with a RunAs account missing the Log on as a service user right on this agent.
A modification attempt was made for Log on as a service.
Result: User (OPSMGR\testrunas) was granted the Log on as a service privilege.
UserName: OPSMGR\testrunas

User right properties before modification: NT SERVICE\MSSQLSERVER S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
NT SERVICE\SQLSERVERAGENT S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430
NT SERVICE\MSSQLFDLauncher S-1-5-80-3263513310-3392720605-1798839546-683002060-3227631582
NT SERVICE\SQLTELEMETRY S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
NT SERVICE\ALL SERVICES S-1-5-80-0
OPSMGR\om_dwr S-1-5-21-3626055071-1639654894-2113106914-1260
OPSMGR\sqlsvc S-1-5-21-3626055071-1639654894-2113106914-1110
SCSQL1\SQLServer2005SQLBrowserUser$SCSQL1 S-1-5-21-147125434-116438822-401272363-1000

User right properties after modification: NT SERVICE\MSSQLSERVER S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
NT SERVICE\SQLSERVERAGENT S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430
NT SERVICE\MSSQLFDLauncher S-1-5-80-3263513310-3392720605-1798839546-683002060-3227631582
NT SERVICE\SQLTELEMETRY S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
NT SERVICE\ALL SERVICES S-1-5-80-0
OPSMGR\testrunas S-1-5-21-3626055071-1639654894-2113106914-1281
OPSMGR\om_dwr S-1-5-21-3626055071-1639654894-2113106914-1260
OPSMGR\sqlsvc S-1-5-21-3626055071-1639654894-2113106914-1110
SCSQL1\SQLServer2005SQLBrowserUser$SCSQL1 S-1-5-21-147125434-116438822-401272363-1000

Event Description that triggered this response:
The Health Service could not log on the RunAs account OPSMGR\testrunas for management group SC2019 because it has not been granted the “Log on as a service” right.

 

You can download this MP here:

https://gallery.technet.microsoft.com/SCOM-2019-RunAs-Helper-989c2876

16 Comments

  1. Ben M

    Would it be possible to adjust this with an override to allow specifying a group/service account to add rather than just adding the service account it is erroring on?

    • Kevin Holman

      I cannot really just add a group…. but that is something you could add to this example.

      What’s the reasoning? You want to add a group every time there is an error, instead of an individual account? Or you want to add a specific group, anytime the account is specific? I’d recommend you just customize yours in the script with that logic.

      • Ben M

        The reasoning is more that we have a group that we want on all servers to have log on as a service permissions (but for obvious reasons, don’t want to add to a GPO) and we add runas accounts to it as needed, so if the server is kicking back a runas account, it’s more that it needs to add that group than it needs that specific service account (and we prefer to use groups instead of individual service accounts). I have a script that I can run as needed when it pops up that a server doesn’t have the group, but doing it as a response to an alert automatically would be nice.

        • Kevin Holman

          Then just go into the MP, in the script – and hard code the value for the account to add. It is normally passed in as a parameter to the script from the event, but you can change this easily in powershell with one line.

  2. Jones

    Hey Kevin,

    Great idea on this management pack!

    Got an issue though, when it runs I get this error (username hidden due to security):

    Result: Error attempting to grant the Log on as a service privilege to account: (####USERNAME#####).
    Error is (Exception calling “AddPrivilege” with “2” argument(s): “Some or all identity references could not be translated.”).

    Any ideas?

    Thanks

    • Kevin Holman

      Interesting. Can you run the script manually and does it work?

      If you follow the events in the event log – can you tell which line is failing?

  3. Pingback:System Center Nisan 2019 Bülten – Sertaç Topal

  4. Emmanuel

    On domain controllers, the MP reports an error with attempting to grant the Log on as a service right:

    ============================================
    Result: Error attempting to grant the Log on as a service privilege to account: (<>).
    Error is (Exception calling “Translate” with “1” argument(s): “Some or all identity references could not be translated.” Exception calling “Translate” with “1” argument(s): “Some or all identity references could not be translated.” Exception calling “Translate” with “1” argument(s): “Some or all identity references could not be translated.”).

    UserName: <>

    User right properties before modification: <>

    User right properties after modification: <>
    ============================================

    However, it is succeeding in adding that account.

  5. Steffen

    Any idea why the MP is not triggering on the alerts ?
    Event ID 7002 is present in the operationsmanager log, but nothing happens.

    When adding the account manually and restart the agent the scom alert disappears.

    • Kevin Holman

      This MP does not trigger ONLY on a 7002 event.

      This MP triggers when

      The target is an AGENT (not a MS or GW)
      EventID = 7002
      Event Source = HealthService
      Param3 = The management Group name you have imported the MP into.
      Param4 = “Log on as a service”

      This script will log 7003 events in the OpsMgr event log on the agent, if it is triggered.

      • Steffen

        All criterias (log and parameters) are met and correct but no 7003 event.
        We rebooted the agents and services and the event 7002 gets updated in the log every 5-15 minutes, but no 7003.

        Another idea ?

  6. Anthony

    Great work Kevin, this is working for the whole but I get this response for some of the results
    ___
    Result: Error attempting to grant the Log on as a service privilege to account: (*****\*****).
    Error is (Exception calling “Translate” with “1” argument(s): “Some or all identity references could not be translated.”).
    ___
    Any ideas please?

  7. Clare

    Hi Kevin,

    Question, does the MP start running the script straight away once its installed as long as it finds the event IDs (which it will as we have loads of them!). Or do you have to manually trigger it as a start (or can you pause or disable it before it runs)

    We would like to test the script on a few PCs before distributing it on a network wide scale. We have a test system we can put the VM on and test the pack but if you could let us know that would be easier. As the pack doesn’t include the script separately we cannot test until we install the pack.

    I am quite new to SCOM and this new 2019 feature has been a huge pain, some of our servers we cannot reboot so we are stuck with them not being monitored until we can get downtime (which will be difficult). I know there is a work-around but there is no point deploying that as we shouldn’t really be using work-arounds.

    Not quite sure how everyone else is dealing with this issue, I imagine there are a few corporations that have servers they cannot just reboot…also we are having the same issue with the DC’s with regards to adding the service account to logon as a service. Even trying to add the service account manually (local gp) to the ‘Logon as a service’ doesn’t work, its greyed out. Similar to a few of our 2K8 servers too.

    We cannot add it via GPO as we dont have the option setup (so it would overwrite all of the current configs for logon as a service)

    Any help would be appreciated,

    Regards,
    Clare

    • Kevin Holman

      Simply open the XML, edit the rule to enabled = false

      Then you can override the rule for a handful of test systems to enabled = true

  8. Henning

    Hi Kevin,
    thanks a lot for your extremly helpful “Helper”-MP.
    On some of our nodes the configuration-scripts produces an error which is written in the alert description of the warning-alert. Excerpt:
    […]
    A modification attempt was made for Log on as a service.

    Result: Error attempting to enumerate existing accounts.
    No modifications were made.
    Error is (The variable ‘$lsa’ cannot be retrieved because it has not been set. Cannot find type [PS_LSA.LsaWrapper]: make sure the assembly containing this type is loaded. Cannot add type. There were compilation errors. c:\Windows\Temp\smqwsonl.0.cs(162) : Default parameter specifiers are not permitted

    c:\Windows\Temp\smqwsonl.0.cs(161) :

    c:\Windows\Temp\smqwsonl.0.cs(162) : >>> public string[] EnumerateAccountsWithUserRight(Rights privilege, bool resolveSid = true)

    c:\Windows\Temp\smqwsonl.0.cs(163) : {
    )
    […]

    Probably some local prerequisites are missing? Can it be executed on Server 2008 or what is the minimum OS-version?
    Is it possible to start the script manually for better debugging?

    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *