Set-SCOMRunAsDistribution

Sets the distribution policy of a Run As account for Operations Manager.

Syntax

Set-SCOMRunAsDistribution
   [-RunAsAccount] <SecureData>
   [-LessSecure]
   [-PassThru]
   [-SCSession <Connection[]>]
   [-ComputerName <String[]>]
   [-Credential <PSCredential>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-SCOMRunAsDistribution
   [-RunAsAccount] <SecureData>
   [-MoreSecure]
   [-SecureDistribution <Object[]>]
   [-PassThru]
   [-SCSession <Connection[]>]
   [-ComputerName <String[]>]
   [-Credential <PSCredential>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-SCOMRunAsDistribution
   [-RunAsAccount] <SecureData>
   -Security <String>
   [-SecureDistribution <Object[]>]
   [-PassThru]
   [-SCSession <Connection[]>]
   [-ComputerName <String[]>]
   [-Credential <PSCredential>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Set-SCOMRunAsDistribution cmdlet sets the distribution policy of a Run As account for System Center 2016 - Operations Manager. Distribution policies determine which computers receive a credential for a Run As account. By default, new accounts have the more secure distribution with no approved systems.

Examples

Example 1: Specify a less secure distribution

PS C:\>Get-SCOMRunAsAccount -Name "Contoso\LowPriv" | Set-SCOMRunAsDistribution -LessSecure

This command sets the Contoso\LowPriv account for less secure distribution, so that Operations Manager distributes the credential automatically to all managed computers. The command uses the Get-SCOMRunAsAccount cmdlet to get the specified account and passes it to the Set-SCOMRunAsDistribution cmdlet by using the pipeline operator. The command specifies the LessSecure parameter.

Example 2: Specify a more secure distribution without approved systems

PS C:\>Get-SCOMRunAsAccount -Name "Contoso\LowPriv" | Set-SCOMRunAsDistribution -MoreSecure

This command sets the Contoso\LowPriv account for more secure distribution, with no approved systems. The command uses the Get-SCOMRunAsAccount cmdlet to get the specified account and passes it to the Set-SCOMRunAsDistribution cmdlet by using the pipeline operator. The command specifies the MoreSecure parameter.

Example 3: Specify a more secure distribution to a collection

PS C:\>$Distribution = (Get-SCOMAgent -Name "*.contoso.com") + (Get-SCOMManagementServer) + (Get-SCOMResourcePool -DisplayName "Contoso Monitoring Pool")
PS C:\> Get-SCOMRunAsAccount "Contoso\LowPriv" | Set-SCOMRunAsDistribution -MoreSecure -SecureDistribution $Distribution

This example sets the Contoso\LowPriv account for more secure distribution to a collection of pools, agents, and servers, so that only specified pools, agents, and servers get the distribution.

The first command gets the pools, agents, and servers to receive more secure distribution and stores them in the $Distribution variable .

The second command gets pools, agents, and servers that have less secure distribution and passes them to the Set-SCOMRunAsDistribution cmdlet by using the pipeline operator. That cmdlet assigns them more secure distribution.

Example 4: Specify less secure distribution for a new Run As account

PS C:\>Add-SCOMRunAsAccount -Windows -Name "NewAccount" -Credential (Get-Credential) | Set-SCOMRunAsDistribution -MoreSecure -SecureDistribution (Get-SCOMAgent)

This command creates a Run As account for Windows and approves it for distribution to all agents. The command uses the Add-SCOMRunAsAccount cmdlet to add the account NewAccount with the credential that the Get-Credential cmdlet creates. It then passes the result to the Set-SCOMRunAsDistribution cmdlet by using the pipeline operator.

Example 5: Copy a more secure distribution policy to a different account

PS C:\>$MonitoringAcct = Get-SCOMRunAsAccount "Contoso\Monitoring"
PS C:\> Get-SCOMRunAsAccount "Contoso\Administrator" | Get-SCOMRunAsDistribution | Set-SCOMRunAsDistribution -RunAsAccount $MonitoringAccount

This example copies the secure distribution policy from the Contoso\Administrator account to the Contoso\Monitoring account.

The first command uses the Get-SCOMRunAsAccount cmdlet to get the Contoso\Monitoring account and stores it in the $MonitoringAcct variable.

The second command uses the Get-SCOMRunAsAccount cmdlet to get the Contoso\Administrator account and passes it to the Get-SCOMRunAsDistribution cmdlet by using the pipeline operator. The command passes the result to the Set-SCOMRunAsDistribution cmdlet to copy the result to the Contoso\Monitoring account.

Parameters

-ComputerName

Specifies an array of names of computers. The cmdlet establishes temporary connections with management groups for these computers. You can use NetBIOS names, IP addresses, or fully qualified domain names (FQDNs). To specify the local computer, type the computer name, localhost, or a dot (.).

The System Center Data Access service must be started on the computer. If you do not specify a computer, the cmdlet uses the computer for the current management group connection.

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Credential

Specifies the user account under which the management group connection runs. Specify a PSCredential object, such as one that the Get-Credential cmdlet returns, for this parameter. For more information about credential objects, type Get-Help Get-Credential.

If you specify a computer in the ComputerName parameter, use an account that has access to that computer. The default is the current user.

Type:PSCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-LessSecure

Indicates that Operations Manager distributes the credential automatically to all managed computers.

Type:SwitchParameter
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-MoreSecure

Indicates that Operations Manager distributes the credential only to systems that the SecureDistribution parameter specifies.

Type:SwitchParameter
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-PassThru

Indicates that the cmdlet creates or modifies an object that a command can use in the pipeline. By default, this cmdlet does not generate any output.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-RunAsAccount

Specifies an array of SecureData objects that represent Run As accounts. To obtain a SecureData object, use the Get-SCOMRunAsAccount cmdlet. This account cannot be part of a Run As profile.

Type:SecureData
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SCSession

Specifies an array of Connection objects. To get Connection objects, use the Get-SCOMManagementGroupConnection cmdlet.

If this parameter is not specified, the cmdlet uses the active persistent connection to a management group. Use the SCSession parameter to specify a different persistent connection. You can create a temporary connection to a management group by using the ComputerName and Credential parameters. For more information, type Get-Help about_OpsMgr_Connections.

Type:Connection[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SecureDistribution

Specifies an array of objects that represent systems that the cmdlet authorizes for distribution.

This parameter list can contain only the following types of items:

  • Agents. Objects that the Get-SCOMAgent cmdlet returns. The cmdlet authorizes this account to the agent for distribution.
  • Management servers. Objects that the Get-SCOMManagementServer cmdlet returns. The cmdlet authorizes this account to the agent for distribution.
  • Pools. Objects that the Get-SCOMResourcePool cmdlet returns. The cmdlet authorizes this account to the agent for distribution.
  • Health service instances. Objects that the Get-SCOMClassInstance cmdlet returns and that have a managed type of HealthService. The cmdlet authorizes this health service to the agent for distribution.

Passing output from the Get-SCOMRunAsDistribution cmdlet as input to Set-SCOMRunAsDistribution by using the pipeline operator automatically populates this parameter.

Type:Object[]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Security

Specifies the security level. The acceptable values for this parameter are:

  • MoreSecure
  • LessSecure

Passing output from the Get-SCOMRunAsDistribution cmdlet as input to Set-SCOMRunAsDistribution by using the pipeline operator automatically populates this parameter.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False