- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- Re: Subscribing to WBEM events as Non-Administrati...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2012 02:57 AM
02-01-2012 02:57 AM
Hi,
Can anyone tell me what security permissions I need to set (on a managed Windows Server) to allow a non-admin user to create WBEM subscriptions in SIM (I am not talking about security for the HPQ WMI namespace - see below)?
The situation I have is as follows:
- I am using a domain user (non-admin) to perform discovery in HP SIM
- The domain user is configured with the required COM secuirty launch and activate permissions on the servers and with the required WMI permissions (set using the enableRWMI.exe tool as supplied with the HP WBEM providers)
- The user does not and should not have administrative rights on the servers
With this configuration in place discovery works with no errors.
However when I attempt to Subscribe to WBEM events (within SIM) the create subscription task fails with the error:
Cause: Unable to create a WBEM connection on the managed system
Recommended Action: Check managed system credentials and reidentify
If I make the SIM user (domain user) a member of the local administrators group on the server then the task completes successfully and the subscription is created.
Once the subscription is created I can remove the admin rights and SIM continues to receive WBEM events as expected.
So my question is..... What permissions do I need to set for the SIM user on the servers to allow the WBEM subscription to be created without the user being an administrator?
Note that the WMI namespace security for root\HPQ has been set.
All I have managed to ascertain so far is that in creating the subscription EventFilters are created under the root\HPQ namespace - however it seems that the namespace security does not apply here!??
Any help much appreciated,
Getting increasingly frustrated with the apparent oversight of this issue in the HP documentation.
(I.e. the documentation details how to discover as a non-admin but no mention of this issue).
P
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2012 06:33 AM
03-05-2012 06:33 AM
SolutionI ended up opening a support ticket with HP about this as I got so frustrated with it!
You permissions are correct (in fact I normally configure them using the command line tool included with the WBEM providers namely enableRWMI.exe) but the thing they don't mention is the subscription itself needs to be created with an admit account!
So, to achieve what you need, do the following:
- Run enableRWMI.exe and specify the non-admit account you wish to use
- In SIM, against the machine (s) you want to create subscription for set a WBEM credential using an admit account on those servers
- Run a full identification
- Create the subscriptions
- Go back into the system properties for those servers and change the account used for WBEM back to the non-admit
All should work fine now ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2012 02:38 PM
03-05-2012 02:38 PM
Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)
Thank you for your reply / input.
This is exactly what I had resolted to doing as (what I hoped to be) a temporary workaround. Looks like it will now be the final solution!
HP - It would be really nice if you could mention such shortcomings in the product documentation !
Regards,
Phil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2012 03:10 PM
03-05-2012 03:10 PM
Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)
I agree. HP's documentation is lacking in this area. I was hoping it would be a temporary solution also as to do this process on 100+ machines is a bit painful :(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2012 12:52 PM
10-31-2012 12:52 PM
Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)
This is a paint but will have to do.
It appears to be someting 2008 specific, in my case I can get subs with non-admin on 2003 hosts but not 2008.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-01-2012 07:27 AM
11-01-2012 07:27 AM
Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)
Havent used newest SIM or WBEM on 2008 - but the non-admin user will have to be a member of the "Distributed COM Users" group on the target server(s).
It might be that you specify the members of this group by GPO and he is therefore not added when you run the enablerwmi.exe-file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2012 08:06 AM
11-02-2012 08:06 AM
Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)
When I use the provided enableWMI tool, it does add the user to the D DCOM group successfully. However in the case of 2008, all actions appear to only work if the users is admin on the machine.
Besides not being able to subscribe as a non-admin users, in my case I can only properly detect Hyper-V hosts if the identify credentials are admin on the host.
To get subs working I did as specified above, I gave the service account admin on the hosts, ran identify, run subs successfully, then removed the account. To my surprise it fixed another issue I was having, of not being able properly idenify hyper-V hosts but on the next daily idenityf, things went back to normal. Subs however continue to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2012 10:17 AM
11-07-2012 10:17 AM
Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)
The only was I have ever gotten these working is as stated above in my earlier post:
- Set WBEM credentials for the system either globally or against the individual system. This account must have admin rights on the target windows system
- Identify the system and ensure that WBEM is in the list of managed protocols
- Subscribe to the events
- Remove admin access if needed