Menu Close

SCOM 2019 Log On As A Service Management Pack Helper

One of the changes in SCOM 2019 is that RunAs accounts now require Log on as a service, instead of Log on locally, which I previously discussed here:

https://kevinholman.com/2019/03/14/security-changes-in-scom-2019-log-on-as-a-service/

If you deploy SCOM 2019 agents, and use RunAs accounts, you might see these events:

Log Name:      Operations Manager
Source:        HealthService
Event ID:      7002
Description:
The Health Service could not log on the RunAs account OPSMGR\testrunas for management group SC2019 because it has not been granted the “Log on as a service” right.

That would generate an alert

image

Normally, you’d have to manually add this user right on each affected machine, or use GPO.  The challenge with Group Policy, is that could wipe out any previous customizations you or other software applications have made here. 

I created a management pack which will help automate this change.  The MP will watch for the events about RunAs account logon failures, and if they contain an error about Log on As a Service, a script will run, and add the account to enable that user right.

A single alert will be generated each time the event is detected, and the script runs attempting to set this policy:

image

An Event 7002 was detected with a RunAs account missing the Log on as a service user right on this agent.
A modification attempt was made for Log on as a service.
Result: User (OPSMGR\testrunas) was granted the Log on as a service privilege.
UserName: OPSMGR\testrunas

User right properties before modification: NT SERVICE\MSSQLSERVER S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
NT SERVICE\SQLSERVERAGENT S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430
NT SERVICE\MSSQLFDLauncher S-1-5-80-3263513310-3392720605-1798839546-683002060-3227631582
NT SERVICE\SQLTELEMETRY S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
NT SERVICE\ALL SERVICES S-1-5-80-0
OPSMGR\om_dwr S-1-5-21-3626055071-1639654894-2113106914-1260
OPSMGR\sqlsvc S-1-5-21-3626055071-1639654894-2113106914-1110
SCSQL1\SQLServer2005SQLBrowserUser$SCSQL1 S-1-5-21-147125434-116438822-401272363-1000

User right properties after modification: NT SERVICE\MSSQLSERVER S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
NT SERVICE\SQLSERVERAGENT S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430
NT SERVICE\MSSQLFDLauncher S-1-5-80-3263513310-3392720605-1798839546-683002060-3227631582
NT SERVICE\SQLTELEMETRY S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
NT SERVICE\ALL SERVICES S-1-5-80-0
OPSMGR\testrunas S-1-5-21-3626055071-1639654894-2113106914-1281
OPSMGR\om_dwr S-1-5-21-3626055071-1639654894-2113106914-1260
OPSMGR\sqlsvc S-1-5-21-3626055071-1639654894-2113106914-1110
SCSQL1\SQLServer2005SQLBrowserUser$SCSQL1 S-1-5-21-147125434-116438822-401272363-1000

Event Description that triggered this response:
The Health Service could not log on the RunAs account OPSMGR\testrunas for management group SC2019 because it has not been granted the “Log on as a service” right.

 

You can download this MP here:

https://gallery.technet.microsoft.com/SCOM-2019-RunAs-Helper-989c2876

12 Comments

  1. Ben M

    Would it be possible to adjust this with an override to allow specifying a group/service account to add rather than just adding the service account it is erroring on?

    • Kevin Holman

      I cannot really just add a group…. but that is something you could add to this example.

      What’s the reasoning? You want to add a group every time there is an error, instead of an individual account? Or you want to add a specific group, anytime the account is specific? I’d recommend you just customize yours in the script with that logic.

      • Ben M

        The reasoning is more that we have a group that we want on all servers to have log on as a service permissions (but for obvious reasons, don’t want to add to a GPO) and we add runas accounts to it as needed, so if the server is kicking back a runas account, it’s more that it needs to add that group than it needs that specific service account (and we prefer to use groups instead of individual service accounts). I have a script that I can run as needed when it pops up that a server doesn’t have the group, but doing it as a response to an alert automatically would be nice.

        • Kevin Holman

          Then just go into the MP, in the script – and hard code the value for the account to add. It is normally passed in as a parameter to the script from the event, but you can change this easily in powershell with one line.

  2. Jones

    Hey Kevin,

    Great idea on this management pack!

    Got an issue though, when it runs I get this error (username hidden due to security):

    Result: Error attempting to grant the Log on as a service privilege to account: (####USERNAME#####).
    Error is (Exception calling “AddPrivilege” with “2” argument(s): “Some or all identity references could not be translated.”).

    Any ideas?

    Thanks

    • Kevin Holman

      Interesting. Can you run the script manually and does it work?

      If you follow the events in the event log – can you tell which line is failing?

  3. Pingback:System Center Nisan 2019 Bülten – Sertaç Topal

  4. Emmanuel

    On domain controllers, the MP reports an error with attempting to grant the Log on as a service right:

    ============================================
    Result: Error attempting to grant the Log on as a service privilege to account: (<>).
    Error is (Exception calling “Translate” with “1” argument(s): “Some or all identity references could not be translated.” Exception calling “Translate” with “1” argument(s): “Some or all identity references could not be translated.” Exception calling “Translate” with “1” argument(s): “Some or all identity references could not be translated.”).

    UserName: <>

    User right properties before modification: <>

    User right properties after modification: <>
    ============================================

    However, it is succeeding in adding that account.

  5. Steffen

    Any idea why the MP is not triggering on the alerts ?
    Event ID 7002 is present in the operationsmanager log, but nothing happens.

    When adding the account manually and restart the agent the scom alert disappears.

    • Kevin Holman

      This MP does not trigger ONLY on a 7002 event.

      This MP triggers when

      The target is an AGENT (not a MS or GW)
      EventID = 7002
      Event Source = HealthService
      Param3 = The management Group name you have imported the MP into.
      Param4 = “Log on as a service”

      This script will log 7003 events in the OpsMgr event log on the agent, if it is triggered.

      • Steffen

        All criterias (log and parameters) are met and correct but no 7003 event.
        We rebooted the agents and services and the event 7002 gets updated in the log every 5-15 minutes, but no 7003.

        Another idea ?

Leave a Reply

Your email address will not be published. Required fields are marked *