Share via


Using SCO to auto deploy SCOM RunAs Accounts!

RunAs accounts can be very cumbersome and annoying if they have not been deployed correctly!  I think any SCOM admin can agree with that. 
Now there are other solutions out there like Kevin Holman's example and Matthew Long's example but I thought I would show how to use in SCORCH. 
In working with my customer the need was to not have to have manual intervention so I wrote up a runbook to let Orchestrator do this automatically. 

First thing is we do get our alert, but this is what our runbook will key off of.

The reason for the above alert is because our SQL Monitoring Account Distribution List look like this without SERVICEMANAGER.Lab.com:

Then from this we are able to set up our runbook to take care of the rest.

1. GET MISSING CREDS ALERT
Set up the Monitor alert activity as below: 
Name = System Center Management Health Service Credentials Not Found Alert Message
Now I use an Updater to forward my alerts so the bottom part is not necessary for you unless you don't want it to go to ticket but still get picked up by SCO.

From this activity we will pick up any alerts that match the criteria like the one in the first screenshot once the resolution state is updated to Processed by SCORCH. 

2. GET SSID:
Next we use the alert description to break apart the data and pull back the important piece for this to work: Account SSID

In our runbook we will utilize the Run .NET Script activity for the next 3 activities and each will use PowerShell to execute the scripts below:

SCRIPT:
$string = 'UPDATE TO POINT TO DESCRIPTION FROM PREVIOUS ACTIVITY'
$string = $string.split([environment]::NewLine)
$s= $string | where{$_.contains('SSID:')}
$SSID = $s.Split(':')[1].Trim()

PUBLISHED DATA:
SSID -> String -> SSID

3. GET THE ACCOUNT
Next we need to get the actual account we need to add the computer to:

Assistance from Michiel Wouters blog on how to decipher the SSID!
SCRIPT:
#Import OM Module
Import-Module OperationsManager;
New-SCOMManagementGroupConnection YOUR MGMT SERVER

$SSID = 'CHANGE TO POINT TO SSID FROM PREVIOUS ACTIVITY'
Get-SCOMRunAsAccount | Sort Name | % {$string = $null;$_.SecureStorageId | % {
 $string = $string + "{0:X2}" -f $_}

[string]$RunAsAccountSSID = $string
if ($SSID -like $RunAsAccountSSID)
{$RunAsAccountName = $_.Name}
}

PUBLISHED DATA:
RunAsAccountName -> String _> RunAsAccountName

4. ADD TO DISTRO LIST
From here we pass along the RunAs Account and get his current list if any and then we add the original alerting machine to the Account:

SCRIPT:
Import-Module OperationsManager;
New-SCOMManagementGroupConnection YOUR MGMT SERVER

$RAAccount = Get-SCOMRunAsAccount -name 'UPDATE TO POINT TO RUNASACCOUNT FROM PREVIOUS ACTIVITY'
$monitoringObjectId = get-SCOMMonitoringObject -Id 'UPDATE TO POINT TO MONITORINGOBJECTID FROM MISSING HEALTH CRED ACTIVITY'
$Group=  $RAAccount.ManagementGroup
$connection = [Microsoft.SystemCenter.OperationsManagerV10.Commands.OMV10Utility]::GetConnectionForManagementGroup($Group)
$hsClass = $group.EntityTypes.GetClasses("Name = 'Microsoft.SystemCenter.Healthservice'") |%{ $_ }
$poolClass = $group.EntityTypes.GetClasses("Name = 'Microsoft.SystemCenter.ManagementServicePool'") |%{ $_ }
[Microsoft.EnterpriseManagement.Monitoring.MonitoringObject[]] $distributionList = @()
if (((Get-SCOMRunAsDistribution $RAAccount).securedistribution).count -ge "1")
    {$distributionList  += (Get-SCOMRunAsDistribution $RAAccount).securedistribution
    }
foreach($o in $monitoringObjectId)
   {
     if($destination = ($o -as [Microsoft.EnterpriseManagement.Administration.AgentManagedComputer]))
        {
          $distributionList += $destination.HostedHealthservice
        }
     elseif($destination = ($o -as [Microsoft.EnterpriseManagement.Administration.ManagementServer]))
        {
          $distributionList += $destination.HostedHealthservice
        }
     elseif($destination = ($o -as [Microsoft.EnterpriseManagement.Administration.ManagementServicePool]))
        {
          $distributionList += ( Get-SCOMClassInstance -Id $destination.Id -ScSession $connection )
        }
     elseif(($destination = ($o -as [Microsoft.EnterpriseManagement.Monitoring.MonitoringObject])) -and ($destination.IsInstanceOf($hsClass) -or $destination.IsInstanceOf($poolClass)))
        {
          $distributionList += $destination
        }
   [Microsoft.SystemCenter.OperationsManagerV10.Commands.OMV10Utility]::ApproveRunasAccountForDistribution($Group, $RAAccount, $distributionList)
   }

Once you have this setup and the runbook fires on the Alert you will see that once it is complete you will see all 4 steps as Green 

The Missing credentials alert is now closed by System due to account being distributed:

New Updated Distribution list for SQL Monitoring Account:

Disclaimer:

This example is provided “AS IS” with no warranty expressed or implied. Run at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of Microsoft.

**Always test in your lab first** Do this at your own risk!! The author will not be held responsible for any damage you incur when making these changes!

Comments

  • Anonymous
    May 22, 2015
    While working with Kevin Holman, we thought we would combine our two posts on RunAs Account Distribution
  • Anonymous
    June 23, 2015
    The comment has been removed
  • Anonymous
    April 20, 2016
    Yeah, that is really awesome. Thanks for that!