OpsMgr 2007 SP1: The case of failing Agent Install

Recently came across an issue where we were failing to install Opsmgr 2007 SP1 Agent on new network segment. These all seems to be Windows Server 2008 Servers, eventually it turned out to be an issue not specific to 2008 in particular. To narrow down on the cause we collected the verbose MSI log

msiexec /i <momagent.msi> /lvoicewarmup c:\install.log

You probably would see these two events in your event log

===========================

Log Name: Application

Source: MsiInstaller

Date: 2/24/2009 10:33:51 AM

Event ID: 1033

Task Category: None

Level: Information

Keywords: Classic

User: <domain\user>

Computer: <fqdn>

Description: Windows Installer installed the product. Product Name: System Center Operations Manager 2007 Agent. Product Version: 6.0.6278.0. Product Language: 1033. Installation success or error status: 1603.

===========================

Log Name: Application

Source: MsiInstaller

Date: 2/24/2009 10:33:51 AM

Event ID: 11708

Task Category: None

Level: Information

Keywords: Classic

User: <domain\user>

Computer: <fqdn>

Description:

Product: System Center Operations Manager 2007 Agent -- Installation operation failed.

============

Install.log

============

MSI (s) (94:DC) [21:50:05:758]: Executing op: ActionStart(Name=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,,)

MSI (s) (94:DC) [21:50:05:758]: Executing op: CustomActionSchedule(Action=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,ActionType=3073,Source=BinaryData,Target=GrantAuditLogAccess,)

MSI (s) (94:10) [21:50:05:774]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIB46.tmp, Entrypoint: GrantAuditLogAccess

1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87

1: ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057

1: GrantAuditLogAccess(): ModifyEventLogAccessForNetworkService() returned 0x00000643.

MSI (s) (94:DC) [21:50:05:805]: User policy value 'DisableRollback' is 0

MSI (s) (94:DC) [21:50:05:805]: Machine policy value 'DisableRollback' is 0

Action ended 21:50:05: InstallFinalize. Return value 3.

So from the log we can see

>>1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87 : Probably it could not read the SecurityDescriptor in the first place

>>> ModifyEventLogAccessForNetworkService(): Could not grant read access to Security Log: 0x00000057

Cause

=====

We enumerated the following registry key

>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

Checked the customSD(Security Descriptor) string

Appartently 0x1 indicates read-only, which seems to be the problem to a specific user whose GUID is mentioned

"customsd"="(A;;0x1;;;S-1-5-21-542683309-1449951431-3854495092-13117)"

For More Understanding

----------------------------------

To construct an SDDL string, note that there are three distinct rights that pertain to event logs:

Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:

1= Read

2 = Write

4 = Clear

The following is a sample SDDL that shows the default SDDL string for the Application log.

 The access rights (in hexadecimal) are bold-faced for illustration:

 

O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)

For example,

The sixth ACE(Access Control Entry) permits Interactive Users to read and write to the log. (A;; 0x3;;;IU)

where

IU = Interactive Users

0x3 = 0x1(Read) + 0x2(Write)

Solution :

===========

a) We removed the CustomSD string from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

b) Ran regsvr32 scecli.dll

                 For better understanding on SDDL refer https://support.microsoft.com/kb/323076