Normally – when you have a trust with a remote account domain, and you want to add users from the rote domain to SCOM, things go perfectly.
However, if the user account in the remote domain uses a different UPN name than the SAM account name – the SCOM UI block’s it.
For instance, I have a SCOM infrastructure in OPSMGR.NET (OPSMGR), but want to grant users in DMZ.CORP (DMZ) domain access. This works fine, if the UPN domain name for my user is the same as the SAM account name.
In the image – I am trying to add DMZ\sqlmondmz account to my SQL Ops Team role:
When I check names – I can see the UPN domain is different, than the actual DNS domain name of DMZ.CORP:
This results in the following error:
Date: 7/19/2016 2:25:18 PM
Application: Operations Manager
Application Version: 7.1.10226.1177
Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user email@example.com associated with the user role. Error code 1332. Check your active directory configuration.
at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message)
at Microsoft.EnterpriseManagement.Common.Internal.SecurityConfigurationServiceProxy.UpsertUserRolesV2(ICollection`1 urUpdateResults, ICollection`1 urScopeUpdateResults, ICollection`1 urViewScopeUpdateResults, ICollection`1 urTaskScopeUpdateResults, ICollection`1 urConsoleTaskScopeUpdateResults, ICollection`1 urTemplateScopeUpdateResults, ICollection`1 urDashboardReferenceScopeUpdateResults, ICollection`1 urUserUpdateResults)
at Microsoft.EnterpriseManagement.SecurityConfigurationManagement.UpdateUserRoles(ICollection`1 userRoles)
at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)
A common previous workaround to this was to add these accounts a Global Group, then add the global group to the role. This workaround did well when you needed to add a large number of users to an unscoped Operator role. However, if you have a lot of different user roles with customized scopes, you will constantly be creating groups. Another alternative?
Use PowerShell to add these users to the role:
$Role = Get-SCOMUserRole -Name "SQL Ops Team"
$Role | Set-SCOMUserRole -User ($Role.Users + "DMZ\sqlmondmz")
This doesn’t have the same UI restriction: