Tool: OpsMgr 2007 R2 - What to do with Secure Reference Override Alert?

Subject of this post is an advanced authoring combining usage of the security features of OpsMgr 2007 with workflows while trying to explain how to troubleshoot alerts which may be raised at the end of such process. On the simple example, I display tool I developed to help resolving ambiguous or unclear obstacles which may surface with this scenario.

I’m not going to discuss why, let’s just say I have a need to create my own Run As profile. This profile is then be populated with custom Run As account I created as well. These steps need to be done manually.

· Open OpsMgr console

· Navigate to “Administration”, then “Run As Configuration”

· Please create “Windows Credentials” account (do not distribute to any computer)

RunAs account

· Please create new profile and associate with previously created account.

RunAs profiles

account in profile

Just to note that this post doesn’t aim to explain the internals of association between profile and account nor account distribution details, there are (or will be) official guides available for that exact reason.

Let’s also assume simple rule which generates alert when event 123 is raised in Application log by EventCreate. When created profile is used with this rule while run as account was not distributed to computer where target instance is monitored, event 1108 is raised during configuration load and workflow for this profile is not loaded until issue is corrected.

· Open OpsMgr authoring console

· Create NT event based rule and use this profile with Event data source module.

Because we are using unsealed MP, this rule must be created in same file as initially created profile.

Profile in module

event 1108

This event 1108 is picked by OpsMgr MP and alert is raised to notify that distribution was not set when Run As account was associated with Run As profile

Dialogs and wizards were re-designed in this milestone to notify about the need to distribute during the creation!

Unfortunately, this new alert may at cases contain somewhat cryptic information increasing TCO of its investigation. If alert is closed without investigating the root cause, it will appear again either after 24 hours from its original creation or when health service restarted.

console task integration

To simplify investigation of affected Run As profile (where querying a DB would be a necessity), I created SDK tool and associated with the product as “console task”. Upon its execution, tool retrieves all alerts related to Run As Profile and provides user friendly information about affected Run As profile (as long as it was present in the DB).

Another alert that such tool is able to help investigate is based on event 1107 and can be simulated by importing attached MP.


Please evaluate in your test environment first! As expected, this solution is provided AS-IS, with no warranties and confers no rights. Use is subject to the terms specified at Microsoft. Future versions of this tool may be created based on time and requests.

x86 installation package

x64 installation package