Home | MOM News | MOM FAQ | How To Guides | Articles | Documentation | Downloads | Chat Room | Contact |

Books

Site News

March 28: Updated Announcements

March 5: Updated Announcements

February 27: Updated OpsMgr 2007 How-to's

February 20: Updated Announcements

January 31: Updated Announcements

Links:

• Blogroll
• Communities
• Webcasts
• MOM 2005 KBs(rss)
• Recent MOM Downloads

Site Admins

Provisioning MOM Console Access in Enterprise Environments

 

By: Pete Zerger, MCSE(Messaging)

 

This article is intended to relay some recommended practices for provisioning MOM access in enterprise environments. In the interest of operational efficiency, it is desirable to configure MOM in such a way that provisioning access to new MOM operators and administrators can be entirely integrated into same process used to provide user accounts, mailboxes and network access to company employees, freeing the MOM architect to focus on more strategic endeavors.

Access is granted to MOM through local groups on the various MOM Servers by default, and access to custom Console Scopes, commonly used for branch office and application administrators, has in the past required granting access on a per-user basis in the MOM Administrator Console. Not terribly convenient for folks working in AD Users & Computers for their other provisioning activities. In this article, we’re going to use global security groups and a new MOM Resource Kit utility to work around the limitations of the default configuration.

We’ll optimize the provisioning process by configuring a model that allows our Security Admins to grant any required access through their standard Active Directory Management Tools. We’ll step through

• Active Directory security groups required for streamlining the process
• Configuration and Provisioning for Standard Security Roles
• Configuration and Provisioning Access to Branch Office Administrators or Application Owners requiring custom Console Scopes

Provisioning Access for Standard Security Roles

The standard MOM security roles groups used to grant user access to MOM are MOM Administrators, MOM Authors, MOM Users and SCDW Readers. Here are the MOM security groups relevant to our task, their location and function.

Table 1 - MOM Default Local Security Groups *

Group	Location	Description
MOM Administrators	Local Group on MOM Management Server	Members are granted full control of the MOM environment. It should be noted that membership in the local Administrators group on the MOM Management Server grants equivalent rights, so keep an eye on membership in local Administrators as well.
MOM Authors	Local Group on MOM Management Server	Members can perform any action available to a MOM Administrators member except MOM Authors cannot change which computers are managed or the type of management used.
MOM Users	Local Group on MOM Management Server	Members can use any Operator console functionality on any computer that belongs to the scope associated with the MOM Users group. They cannot, however, perform runtime tasks.
SCDW Readers	Local Group on MOM Reporting Server	Members have access to the SQL Server Reporting Services on the MOM Reporting Server and can perform reporting functions, such as creating, viewing, and saving reports.

 

*The SC DW DTS and MOM Service groups are not detailed above as they are not relevant to granting operator and administrator access to MOM Consoles.

 

To integrate provisioning of the standard MOM security roles:

This is a very standard procedure most administrators have encountered before.

1. Create global security groups corresponding to local MOM security groups – In Active Directory Users & Computers, create a Global Security Group for each of the four groups listed in table 1 above.
2. Nest these global security groups in local MOM security groups – Add the global groups as members of their corresponding local groups on ALL MOM Servers.

 

That’s it. Now, to grant MOM access to an administrator, simply add the target users Active Directory account to the appropriate global group.

IMPORTANT:

If your MOM Management Server is running Windows 2003 SP1, you’ll need to add the global MOM security groups (MOM Admins, Authors, Users) to the 'Distributed COM Users' local security group on the Management Server due to some security changes introduced with SP1.

 

Provisioning Access to Branch Office Admins or Application Owners

MOM Console Scopes are used to create custom views, limiting which Computer Groups can be viewed by the person using the scope. Console Scopes are often used for creating limited views for application owners (such as a view of SQL Servers for DBAs) and branch office administrators.  

For quite some time, the only way to provision access to the MOM Console Scope was to add users to the Scope in the MOM Administrator Console. Moreover, groups could not be used - users had to be added on a per-user basis. This makes more work for the MOM administrator, and requires an extra link in the provisioning chain when bringing new administrators on board.

This changed with the release of the MOM Resource Kit SP1 refresh, which included a new utility called the Console Scope Utility. This tool can be used to synchronize Active Directory group members with MOM 2005 console scope members. This now gives us the ability to create Global Security Groups in Active Directory, and then synchronize the membership of these groups with a Console Scope in MOM, . By using this utility in a batch file on a scheduled basis, we can eliminate the need to open the MOM Administrator Console to provision Console Scope access.

 

To integrate assignment of Console Scope:

We’ll use an example here. We’ll perform the configuration required to integrate process of granting branch office administrators access to MOM into Active Directory. Let’s assume I’ve created a Console Scope called ‘Branch Office Admins’, and I want to allow granting of MOM privileges to every user with membership in a group in Active Directory. Setup to make this happen is as follows:

1. Create Console Scope ‘Branch Office Admins’ – In the MOM Administrator Console, create a Console Scope called ‘Branch Office Admins’. Select the desired Computer Groups you wish to be visible to branch office administrators. Do not add any users to this Console Scope.
2. Create global security group ‘Branch Office Administrators’ – In Active Directory Users & Computers, create a Global Security Group called ‘Branch Office Administrators’. The global group need not be in the local domain. The utility can be used to synchronize security groups from trusted domains as well.
3. Add branch office administrators to the newly created group. Use AD Users & Computers to grant membership to all branch office administrators you wish to assign to the Branch Office Admins Console Scope.
4. Add ‘Branch Office Administrators’ global security group to ‘MOM Users’ global security group (if not already added). Membership in MOM Users is required to allow branch administrators to connect to the MOM Servers remotely with MOM Consoles. Nesting groups created for provisioning access via custom console scopes simply eliminates an extra step, allowing 1 step provisioning for new administrators.
5. Configure the Console Scope Batch Job – On a MOM Management Server, create the following batch job.

 

SYNTAX:

CSUtil.exe Synchronize "MyCustomConsoleScope" "MYDOMAIN\ConsoleScopeGroup”

      EXAMPLE:

CSUtil.exe Synchronize "Branch Office Admins" "MYDOMAIN\Branch Office Administrators"

 

       IMPORTANT:

You’ll need one CSUtil.exe command for each security group / console scope pair

6. Schedule the Console Scope Batch Job – On a MOM Management Server, schedule the batch job to run on an interval of your choosing. This may be once an hour or once a day, depending on how quickly you’d like the changes to the global security groups to be reflected in Console Scope assignment.
7. Perform Initial Group to Console Scope Synchronization - Run the batch file containing the Console Scope Utility has been run at least one time to synchronize the AD security group to the console scope. Then login as a user assigned to the Branch Office Administrators group and launch the MOM Operator Console. Your view should then be restricted to groups defined in the Console Scope.

 

Granting Access to Console Scopes Going Forward:

1. Simply add the target user to the ‘Branch Office Administrators’ or other appropriate global security group in Active Directory associated with a MOM Console Scope.
2. Install the MOM User Interfaces (MOM CD – custom install) on the workstation of the target administrator.

 

I hope you’ll find this information helpful. Your feedback is always welcome at administrator@momresources.org