| Author |
Message |
simon
Guest
|
 Posted:
Mon Oct 31, 2005 5:51 pm Post subject:
unable to commit configuration change - permission error i t |
|
|
user momadmin1 (member of MOMAdministrators & regular Domain User) is
accessing mom admin console on remote workstation
error rec'd when commiting configuration change
"microsoft operations manager was unable to submit the request the mom
managment server (the microsoft operations manager service - momservice.exe)
on mom01"
click on details...
you do not have appropriate access permissions to perform this operation.
please contact your system administrator for more information.
result code: 80070005
when i make momadmin1 a local admin on server mom01 the commit configuration
tasks is successful when using the remote admin console - but then any local
admins on mom01 have full rights into mom - i dont want to use local admins!
when momadmin1 logs onto mom01 server using mstsc (and member of mom01
remote desktop users group) the commit task works fine - with no additional
changes - but server can only support 2 remote sessions - i want to use mom
admin console on remote desktops
why cant i get the commit configuration task to work on a remote console?
does any one have this working? without domain admins/local admins?
any special rights/permissions?
any logs i can check?
anyone with any ideas would be great, thanks :) |
|
| Back to top |
|
 |
davidtyra@hotmail.com
Guest
|
| Posted:
Mon Oct 31, 2005 5:51 pm Post subject:
Re: unable to commit configuration change - permission error |
|
|
Simon,
Is the management server running Windows 2003 Server SP1? If so, have
you verified that the momadmin01 account is a member of the Distributed
COM Users local group on the management server?
Regards,
David Tyra |
|
| Back to top |
|
|
simon
Guest
|
| Posted:
Mon Oct 31, 2005 5:51 pm Post subject:
Re: unable to commit configuration change - permission error |
|
|
Daniel
That would have been a fantastic fix, despite that these were freshly
installed admin consoles on friday - however
i uninstalled and reinstalled - made no difference
i unistalled - rebooted - reinstalled - still made no difference
same error still occurs!
is there documentation written somewhere that gives me a list of explicit
permissions that are required to use mom admin console or do u think that the
permission error could be a sympton of another problem?
thanks
"Daniel Lai [MVP-Management Infrastructur" wrote:
| Quote: |
Hello,
Thank you for your posting!
Please reinstall the Aministrator Console.
If you have any questions, please feel to let me know. I am glad to be of
assistance.
--
Daniel Lai
Microsoft MVP Program Top Contributor
Windows Server-Management Infrastructure
Microsoft Management Solution Consultant
http://msmvps.com/daniel
"simon" <simon@discussions.microsoft.com> wrote in message
news:E274CA75-D589-44B0-A185-D16AB2F2A747@microsoft.com...
user momadmin1 (member of MOMAdministrators & regular Domain User) is
accessing mom admin console on remote workstation
error rec'd when commiting configuration change
"microsoft operations manager was unable to submit the request the mom
managment server (the microsoft operations manager service -
momservice.exe)
on mom01"
click on details...
you do not have appropriate access permissions to perform this operation.
please contact your system administrator for more information.
result code: 80070005
when i make momadmin1 a local admin on server mom01 the commit
configuration
tasks is successful when using the remote admin console - but then any
local
admins on mom01 have full rights into mom - i dont want to use local
admins!
when momadmin1 logs onto mom01 server using mstsc (and member of mom01
remote desktop users group) the commit task works fine - with no
additional
changes - but server can only support 2 remote sessions - i want to use
mom
admin console on remote desktops
why cant i get the commit configuration task to work on a remote console?
does any one have this working? without domain admins/local admins?
any special rights/permissions?
any logs i can check?
anyone with any ideas would be great, thanks :)
|
|
|
| Back to top |
|
|
Daniel Lai [MVP-Managemen
Guest
|
| Posted:
Mon Oct 31, 2005 5:51 pm Post subject:
Re: unable to commit configuration change - permission error |
|
|
Hello,
Thank you for your posting!
Please reinstall the Aministrator Console.
If you have any questions, please feel to let me know. I am glad to be of
assistance.
--
Daniel Lai
Microsoft MVP Program Top Contributor
Windows Server-Management Infrastructure
Microsoft Management Solution Consultant
http://msmvps.com/daniel
"simon" <simon@discussions.microsoft.com> wrote in message
news:E274CA75-D589-44B0-A185-D16AB2F2A747@microsoft.com...
| Quote: | user momadmin1 (member of MOMAdministrators & regular Domain User) is
accessing mom admin console on remote workstation
error rec'd when commiting configuration change
"microsoft operations manager was unable to submit the request the mom
managment server (the microsoft operations manager service -
momservice.exe)
on mom01"
click on details...
you do not have appropriate access permissions to perform this operation.
please contact your system administrator for more information.
result code: 80070005
when i make momadmin1 a local admin on server mom01 the commit
configuration
tasks is successful when using the remote admin console - but then any
local
admins on mom01 have full rights into mom - i dont want to use local
admins!
when momadmin1 logs onto mom01 server using mstsc (and member of mom01
remote desktop users group) the commit task works fine - with no
additional
changes - but server can only support 2 remote sessions - i want to use
mom
admin console on remote desktops
why cant i get the commit configuration task to work on a remote console?
does any one have this working? without domain admins/local admins?
any special rights/permissions?
any logs i can check?
anyone with any ideas would be great, thanks :)
|
|
|
| Back to top |
|
|
davidtyra@hotmail.com
Guest
|
| Posted:
Mon Oct 31, 2005 5:51 pm Post subject:
Re: unable to commit configuration change - permission error |
|
|
No, everyone managing MOM is a local Admin on the management servers. I
would bet that committing configuration changes would require some kind
of elevated privileges since that initiates a write to the database. I
would suggest examining the MOM Security Guide to see if it has
anything on the subject (in case you haven't already).
Regards,
David Tyra |
|
| Back to top |
|
|
simon
Guest
|
| Posted:
Mon Oct 31, 2005 5:51 pm Post subject:
Re: unable to commit configuration change - permission error |
|
|
David
yeah, win2k3 sp1 - mom2005 sp1
the user is in a domain group which is a member of the local distributed com
users on the mom server - i have tried explicitly adding the user rather than
through the typical domain -> local group membership but this still makes no
difference
i just dont understand why the tasks works when im logged on via RDP to the
MOM server but not when im using the admin console on a regular workstation
does this work for you...is your momadmin user a regular domain user with no
additional rights or priveliges?
thanks for the reply :)
"davidtyra@hotmail.com" wrote:
| Quote: | Simon,
Is the management server running Windows 2003 Server SP1? If so, have
you verified that the momadmin01 account is a member of the Distributed
COM Users local group on the management server?
Regards,
David Tyra
|
|
|
| Back to top |
|
|
simon
Guest
|
| Posted:
Mon Oct 31, 2005 9:51 pm Post subject:
RE: unable to commit configuration change - permission error |
|
|
hey justin
thanks for that :)
thats the same article i was referring to in my previous post
the question i was looking for verification from others in the mom community
was....am i write in thinking that local admins on my mom server override the
concept of having users in the mom admins, mom authors & mom users groups?
from what i can see...if a user is in the local admin group on the mom
server, they automatically have full admin control within the mom admin
console
does anyone use the mom admin/authors/users groups - to restrict access
within mom?
thanks
"Justin Harter" wrote:
| Quote: | As taken from the MSFT knowledgebase article:
When you try to perform a commit configuration change operation from a
remote MOM Administrator console, you may receive the following error message:
Access denied
This behavior occurs because the security permissions for remote users have
changed in Windows Server 2003 SP1. By default, a remote user may not be able
to enumerate or read a list of services when the user connects to a computer
that is running Windows Server 2003 with SP1. To work around this problem,
add the user accounts that are members of the MOM Administrators group and of
the MOM Authors group to the local Administrators group on the Windows Server
2003-based computer. To do this, follow these steps:a. Log on to the
computer by using an account that has administrative credentials.
b. Click Start, point to Administrative Tools, and then click Computer
Management.
c. In Computer Management, expand Local Users and Groups, click the Groups
folder, right-click Administrators, and then click Add to Group.
d. In the Administrators Properties dialog box, click Add.
e. In the Select Users dialog box, type the user account that is a member
of the MOM Administrators group and of the MOM Authors group, and then click
OK.
f. Repeat steps d and e for each user account that you want to be able to
remotely access the MOM Administrator console.
Here is the article address:
http://support.microsoft.com/default.aspx?scid=kb;en-us;898921#XSLTH3128121122120121120120
"simon" wrote:
user momadmin1 (member of MOMAdministrators & regular Domain User) is
accessing mom admin console on remote workstation
error rec'd when commiting configuration change
"microsoft operations manager was unable to submit the request the mom
managment server (the microsoft operations manager service - momservice.exe)
on mom01"
click on details...
you do not have appropriate access permissions to perform this operation.
please contact your system administrator for more information.
result code: 80070005
when i make momadmin1 a local admin on server mom01 the commit configuration
tasks is successful when using the remote admin console - but then any local
admins on mom01 have full rights into mom - i dont want to use local admins!
when momadmin1 logs onto mom01 server using mstsc (and member of mom01
remote desktop users group) the commit task works fine - with no additional
changes - but server can only support 2 remote sessions - i want to use mom
admin console on remote desktops
why cant i get the commit configuration task to work on a remote console?
does any one have this working? without domain admins/local admins?
any special rights/permissions?
any logs i can check?
anyone with any ideas would be great, thanks :)
|
|
|
| Back to top |
|
|
simon
Guest
|
| Posted:
Mon Oct 31, 2005 9:51 pm Post subject:
Re: unable to commit configuration change - permission error |
|
|
thanks david
i was coming to the conculsion also but, cant seem to find any documentation
specifically for the mom consoles apart from whats in
http://support.microsoft.com/default.aspx?scid=kb;en-us;898921
one more question please....as everyone is a local admin within your
implementation, does that mean by default all your mom administatrators have
the mom admin privilege, do they have access to the administration node in
the admin console?
do you have any mom authors or mom users that have their access restricted
within the mom admin console?
as far as i can see...any local admins on the mom server, automatically
secure full mom admin access - or is that just something screwy with my
install?
thanks for your info :)
"davidtyra@hotmail.com" wrote:
| Quote: | No, everyone managing MOM is a local Admin on the management servers. I
would bet that committing configuration changes would require some kind
of elevated privileges since that initiates a write to the database. I
would suggest examining the MOM Security Guide to see if it has
anything on the subject (in case you haven't already).
Regards,
David Tyra
|
|
|
| Back to top |
|
|
Justin Harter
Guest
|
| Posted:
Mon Oct 31, 2005 9:51 pm Post subject:
RE: unable to commit configuration change - permission error |
|
|
As taken from the MSFT knowledgebase article:
When you try to perform a commit configuration change operation from a
remote MOM Administrator console, you may receive the following error message:
Access denied
This behavior occurs because the security permissions for remote users have
changed in Windows Server 2003 SP1. By default, a remote user may not be able
to enumerate or read a list of services when the user connects to a computer
that is running Windows Server 2003 with SP1. To work around this problem,
add the user accounts that are members of the MOM Administrators group and of
the MOM Authors group to the local Administrators group on the Windows Server
2003-based computer. To do this, follow these steps:a. Log on to the
computer by using an account that has administrative credentials.
b. Click Start, point to Administrative Tools, and then click Computer
Management.
c. In Computer Management, expand Local Users and Groups, click the Groups
folder, right-click Administrators, and then click Add to Group.
d. In the Administrators Properties dialog box, click Add.
e. In the Select Users dialog box, type the user account that is a member
of the MOM Administrators group and of the MOM Authors group, and then click
OK.
f. Repeat steps d and e for each user account that you want to be able to
remotely access the MOM Administrator console.
Here is the article address:
http://support.microsoft.com/default.aspx?scid=kb;en-us;898921#XSLTH3128121122120121120120
"simon" wrote:
| Quote: | user momadmin1 (member of MOMAdministrators & regular Domain User) is
accessing mom admin console on remote workstation
error rec'd when commiting configuration change
"microsoft operations manager was unable to submit the request the mom
managment server (the microsoft operations manager service - momservice.exe)
on mom01"
click on details...
you do not have appropriate access permissions to perform this operation.
please contact your system administrator for more information.
result code: 80070005
when i make momadmin1 a local admin on server mom01 the commit configuration
tasks is successful when using the remote admin console - but then any local
admins on mom01 have full rights into mom - i dont want to use local admins!
when momadmin1 logs onto mom01 server using mstsc (and member of mom01
remote desktop users group) the commit task works fine - with no additional
changes - but server can only support 2 remote sessions - i want to use mom
admin console on remote desktops
why cant i get the commit configuration task to work on a remote console?
does any one have this working? without domain admins/local admins?
any special rights/permissions?
any logs i can check?
anyone with any ideas would be great, thanks :)
|
|
|
| Back to top |
|
|
Justin Harter
Guest
|
| Posted:
Tue Nov 01, 2005 5:51 pm Post subject:
RE: unable to commit configuration change - permission error |
|
|
I do use the MOM users group to put everyone in IT who uses the Operator
Console. This way, they can see what they need in the Operator Console, but
can't get into Administrator to do anything. On the otherhand, If they are an
Administrator on the MOM box, I do believe they will be able to do most
anything...
"simon" wrote:
| Quote: | hey justin
thanks for that :)
thats the same article i was referring to in my previous post
the question i was looking for verification from others in the mom community
was....am i write in thinking that local admins on my mom server override the
concept of having users in the mom admins, mom authors & mom users groups?
from what i can see...if a user is in the local admin group on the mom
server, they automatically have full admin control within the mom admin
console
does anyone use the mom admin/authors/users groups - to restrict access
within mom?
thanks
"Justin Harter" wrote:
As taken from the MSFT knowledgebase article:
When you try to perform a commit configuration change operation from a
remote MOM Administrator console, you may receive the following error message:
Access denied
This behavior occurs because the security permissions for remote users have
changed in Windows Server 2003 SP1. By default, a remote user may not be able
to enumerate or read a list of services when the user connects to a computer
that is running Windows Server 2003 with SP1. To work around this problem,
add the user accounts that are members of the MOM Administrators group and of
the MOM Authors group to the local Administrators group on the Windows Server
2003-based computer. To do this, follow these steps:a. Log on to the
computer by using an account that has administrative credentials.
b. Click Start, point to Administrative Tools, and then click Computer
Management.
c. In Computer Management, expand Local Users and Groups, click the Groups
folder, right-click Administrators, and then click Add to Group.
d. In the Administrators Properties dialog box, click Add.
e. In the Select Users dialog box, type the user account that is a member
of the MOM Administrators group and of the MOM Authors group, and then click
OK.
f. Repeat steps d and e for each user account that you want to be able to
remotely access the MOM Administrator console.
Here is the article address:
http://support.microsoft.com/default.aspx?scid=kb;en-us;898921#XSLTH3128121122120121120120
"simon" wrote:
user momadmin1 (member of MOMAdministrators & regular Domain User) is
accessing mom admin console on remote workstation
error rec'd when commiting configuration change
"microsoft operations manager was unable to submit the request the mom
managment server (the microsoft operations manager service - momservice.exe)
on mom01"
click on details...
you do not have appropriate access permissions to perform this operation.
please contact your system administrator for more information.
result code: 80070005
when i make momadmin1 a local admin on server mom01 the commit configuration
tasks is successful when using the remote admin console - but then any local
admins on mom01 have full rights into mom - i dont want to use local admins!
when momadmin1 logs onto mom01 server using mstsc (and member of mom01
remote desktop users group) the commit task works fine - with no additional
changes - but server can only support 2 remote sessions - i want to use mom
admin console on remote desktops
why cant i get the commit configuration task to work on a remote console?
does any one have this working? without domain admins/local admins?
any special rights/permissions?
any logs i can check?
anyone with any ideas would be great, thanks :)
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in