How to change the Operations Manager 2007 Admin group if the original was deleted from Active Directory

Article ID: 2640222 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When attempting to login to the System Center Operations Manager 2007 (SCOM 2007) Admin console you receive the following error:

Failed to connect to server ‘RMS.contosso.com’. Insufficient privileges

The user CONTOSSO\scomadmin does not have sufficient permission to perform the operation.

Additional Information :

Date: 11/4/2011 8:33:21 AM
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Warning
Message: Failed to connect to server 'RMS.contosso.com'. Insufficient privileges

Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException: The user contosso\scomadmin does not have sufficient permission to perform the operation.
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.Connect(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.ManagementGroup..ctor(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.ManagementGroup.Connect(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.Mom.Internal.UI.Common.ManagementGroupSessionManager.Connect(String server, String username, SecureString password, String domain)
at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleWindowBase.ConnectWithCredentials(Exception ex, ConsoleJobEventArgs args)

Cause

This can occur if the SCOM 2007 Admin group was deleted from Active Directory.

Resolution

In our steps to resolve the issue, we first try finding the user accounts and groups that have sufficient privileges for SCOM 2007:

1.  Open Authorization Manager by typing azman.msc in Run.

2.  Right click on the Authorization Manager entry found in the left pane and select Open Authorization Store.

3.  In the Open Authorization Store dialog box, choose XML File and then, click on Browse.

4.  Navigate to the System Center Operations Manager Directory which by default is C:\Program Files\System Center Operations Manager 2007.

5.  Open the SDK Service State folder and choose the MomAuth.xml file.

6.  Once the store loads you can find Microsoft Operations Manager in the left pane. Expand it.

7.  You should be able to find a folder under the Microsoft Operations Manager with the name 597f9d98-356f-4186-8712-4f020f2d98b4.

8.  Expand it and open Role Assignments. Click on the list item you see under it.

9.  You will now be able to see the users and groups that have privileges in SCOM 2007.

10.  By default, you can find SYSTEM listed in the right pane. You can also find the corrupt user groups or accounts noted as ‘Account Unknown’ along with the SID.

11.  The fact that SYSTEM is listed there confirms that local SYSTEM has enough

12.  In case you don’t find the SYSTEM account, the resolution steps mentioned below won’t work for you.

 

With the PSExec.exe tool (http://technet.microsoft.com/en-us/sysinternals/bb897553),  open the SCOM 2007 console in SYSTEM context:

1.  Open Command Prompt.

2.  Type the command PSExec.exe –i –s cmd.exe

3.  Optional: Execute the whoami command in the new command prompt window.  Doing this will verify if the command prompt is running under SYSTEM context (NT Authority\SYSTEM).

4.  In the command prompt window running under SYSTEM context, run the executable file {BaseDirectory}\System Center Operations Manager 2007\ Microsoft.Mom.UI.Console.exe.  By default the base directory is C:\Program Files\.

You should now be able to open SCOM 2007 Admin console using the SYSTEM context.

5.  In the Admin Console, open Administration Pane and select User Roles.

6.  Choose the Operations Manager Administrators user role and add the group/account you wish to use.

7.  Test the solution by closing the Operations Manager Console and reopening it in the newly added context.  You should be able to login now.

The resolution can be verified by checking for the recently added group in Authorization Manager. You should follow the same procedure as mentioned previously. 

More Information

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2640222 - Last Review: November 28, 2011 - Revision: 3.0
APPLIES TO
  • Microsoft System Center Operations Manager 2007
  • Microsoft System Center Operations Manager 2007 R2
  • Microsoft System Center Operations Manager 2007 Service Pack 1
Keywords: 
KB2640222

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com