How to add accounts from another domain into a SCOM User Role


 

Normally – when you have a trust with a remote account domain, and you want to add users from the rote domain to SCOM, things go perfectly.

However, if the user account in the remote domain uses a different UPN name than the SAM account name – the SCOM UI block’s it.

 

For instance, I have a SCOM infrastructure in OPSMGR.NET (OPSMGR), but want to grant users in DMZ.CORP (DMZ) domain access.  This works fine, if the UPN domain name for my user is the same as the SAM account name.

 

In the image – I am trying to add DMZ\sqlmondmz account to my SQL Ops Team role:

 

image

 

When I check names – I can see the UPN domain is different, than the actual DNS domain name of DMZ.CORP:

 

image

 

This results in the following error:

 

Date: 7/19/2016 2:25:18 PM
Application: Operations Manager
Application Version: 7.1.10226.1177
Severity: Error
Message:

Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user sqlmondmz@zzz.com associated with the user role. Error code 1332. Check your active directory configuration.
   at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message)
   at Microsoft.EnterpriseManagement.Common.Internal.SecurityConfigurationServiceProxy.UpsertUserRolesV2(ICollection`1 urUpdateResults, ICollection`1 urScopeUpdateResults, ICollection`1 urViewScopeUpdateResults, ICollection`1 urTaskScopeUpdateResults, ICollection`1 urConsoleTaskScopeUpdateResults, ICollection`1 urTemplateScopeUpdateResults, ICollection`1 urDashboardReferenceScopeUpdateResults, ICollection`1 urUserUpdateResults)
   at Microsoft.EnterpriseManagement.SecurityConfigurationManagement.UpdateUserRoles(ICollection`1 userRoles)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

 

The workaround?

A common previous workaround to this was to add these accounts a Global Group, then add the global group to the role.  This workaround did well when you needed to add a large number of users to an unscoped Operator role.  However, if you have a lot of different user roles with customized scopes, you will constantly be creating groups.  Another alternative?

 

Use PowerShell to add these users to the role:

 

$Role = Get-SCOMUserRole -Name "SQL Ops Team"
$Role | Set-SCOMUserRole -User ($Role.Users + "DMZ\sqlmondmz")

 

This doesn’t have the same UI restriction:

 

image


Comments (2)

  1. Ben says:

    As always,..
    To all administrators out there,…
    Start using Powershell by default!

  2. Interesting how ui’s do not always follow SDK rules.

Skip to main content