How to change the Operations Manager 2007 Admin group if the original was deleted from Active Directory

hotfixHere’s another KB article we published today.  This one describes how to change the Operations Manager 2007 Admin group if the original was deleted from Active Directory:

=====

Symptoms

When attempting to login to the System Center Operations Manager 2007 (SCOM 2007) Admin console you receive the following error:

Failed to connect to server ‘RMS.contosso.com’. Insufficient privileges

The user CONTOSSO\scomadmin does not have sufficient permission to perform the operation.

Additional Information :

Date: 11/4/2011 8:33:21 AM
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Warning
Message: Failed to connect to server 'RMS.contosso.com'. Insufficient privileges

Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException: The user contosso\scomadmin does not have sufficient permission to perform the operation.
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.Connect(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.ManagementGroup..ctor(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.ManagementGroup.Connect(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.Mom.Internal.UI.Common.ManagementGroupSessionManager.Connect(String server, String username, SecureString password, String domain)
at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleWindowBase.ConnectWithCredentials(Exception ex, ConsoleJobEventArgs args)

Cause

This can occur if the SCOM 2007 Admin group was deleted from Active Directory.

Resolution

In our steps to resolve the issue, we first try finding the user accounts and groups that have sufficient privileges for SCOM 2007:

1. Open Authorization Manager by typing azman.msc in Run.

2. Right click on the Authorization Manager entry found in the left pane and select Open Authorization Store.

3. In the Open Authorization Store dialog box, choose XML File and then, click on Browse.

4. Navigate to the System Center Operations Manager Directory which by default is C:\Program Files\System Center Operations Manager 2007.

5. Open the SDK Service State folder and choose the MomAuth.xml file.

6. Once the store loads you can find Microsoft Operations Manager in the left pane. Expand it.

7. You should be able to find a folder under the Microsoft Operations Manager with the name 597f9d98-356f-4186-8712-4f020f2d98b4.

8. Expand it and open Role Assignments. Click on the list item you see under it.

9. You will now be able to see the users and groups that have privileges in SCOM 2007.

10. By default, you can find SYSTEM listed in the right pane. You can also find the corrupt user groups or accounts noted as ‘Account Unknown’ along with the SID.

11. The fact that SYSTEM is listed there confirms that local SYSTEM has enough

12. In case you don’t find the SYSTEM account, the resolution steps mentioned below won’t work for you.

With the PSExec.exe tool (https://technet.microsoft.com/en-us/sysinternals/bb897553), open the SCOM 2007 console in SYSTEM context:

1. Open Command Prompt.

2. Type the command PSExec.exe –i –s cmd.exe

3. Optional: Execute the whoami command in the new command prompt window. Doing this will verify if the command prompt is running under SYSTEM context (NT Authority\SYSTEM).

4. In the command prompt window running under SYSTEM context, run the executable file {BaseDirectory}\System Center Operations Manager 2007\ Microsoft.Mom.UI.Console.exe. By default the base directory is C:\Program Files\.

You should now be able to open SCOM 2007 Admin console using the SYSTEM context.

5. In the Admin Console, open Administration Pane and select User Roles.

6. Choose the Operations Manager Administrators user role and add the group/account you wish to use.

7. Test the solution by closing the Operations Manager Console and reopening it in the newly added context. You should be able to login now.

The resolution can be verified by checking for the recently added group in Authorization Manager. You should follow the same procedure as mentioned previously.

More Information

Overview on Authorization Manager : https://msdn.microsoft.com/en-us/library/bb897401.aspx

Download PSExec from here : https://technet.microsoft.com/en-us/sysinternals/bb897553

=====

For the most current version of this article please see the following:

2640222: How to change the Operations Manager 2007 Admin group if the original was deleted from Active Directory

J.C. Hornbeck | System Center Knowledge Engineer

App-V Team blog: https://blogs.technet.com/appv/
AVIcode Team blog: https://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
DPM Team blog: https://blogs.technet.com/dpm/
MED-V Team blog: https://blogs.technet.com/medv/
OOB Support Team blog: https://blogs.technet.com/oob/
Opalis Team blog: https://blogs.technet.com/opalis
Orchestrator Support Team blog: https://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: https://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: https://blogs.technet.com/mdm/
SCVMM Team blog: https://blogs.technet.com/scvmm
Server App-V Team blog: https://blogs.technet.com/b/serverappv
Service Manager Team blog: https://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: https://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: https://blogs.technet.com/sus/

clip_image001 clip_image002