How to change the Operations Manager 2007 Admin group if the original was deleted from Active Directory

hotfixHere’s another KB article we published today.  This one describes how to change the Operations Manager 2007 Admin group if the original was deleted from Active Directory:



When attempting to login to the System Center Operations Manager 2007 (SCOM 2007) Admin console you receive the following error:

Failed to connect to server ‘’. Insufficient privileges

The user CONTOSSO\scomadmin does not have sufficient permission to perform the operation.

Additional Information :

Date: 11/4/2011 8:33:21 AM
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Warning
Message: Failed to connect to server ''. Insufficient privileges

Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException: The user contosso\scomadmin does not have sufficient permission to perform the operation.
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.Connect(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.ManagementGroup..ctor(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.ManagementGroup.Connect(ManagementGroupConnectionSettings connectionSettings)
at Microsoft.EnterpriseManagement.Mom.Internal.UI.Common.ManagementGroupSessionManager.Connect(String server, String username, SecureString password, String domain)
at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleWindowBase.ConnectWithCredentials(Exception ex, ConsoleJobEventArgs args)


This can occur if the SCOM 2007 Admin group was deleted from Active Directory.


In our steps to resolve the issue, we first try finding the user accounts and groups that have sufficient privileges for SCOM 2007:

1. Open Authorization Manager by typing azman.msc in Run.

2. Right click on the Authorization Manager entry found in the left pane and select Open Authorization Store.

3. In the Open Authorization Store dialog box, choose XML File and then, click on Browse.

4. Navigate to the System Center Operations Manager Directory which by default is C:\Program Files\System Center Operations Manager 2007.

5. Open the SDK Service State folder and choose the MomAuth.xml file.

6. Once the store loads you can find Microsoft Operations Manager in the left pane. Expand it.

7. You should be able to find a folder under the Microsoft Operations Manager with the name 597f9d98-356f-4186-8712-4f020f2d98b4.

8. Expand it and open Role Assignments. Click on the list item you see under it.

9. You will now be able to see the users and groups that have privileges in SCOM 2007.

10. By default, you can find SYSTEM listed in the right pane. You can also find the corrupt user groups or accounts noted as ‘Account Unknown’ along with the SID.

11. The fact that SYSTEM is listed there confirms that local SYSTEM has enough

12. In case you don’t find the SYSTEM account, the resolution steps mentioned below won’t work for you.

With the PSExec.exe tool (, open the SCOM 2007 console in SYSTEM context:

1. Open Command Prompt.

2. Type the command PSExec.exe –i –s cmd.exe

3. Optional: Execute the whoami command in the new command prompt window. Doing this will verify if the command prompt is running under SYSTEM context (NT Authority\SYSTEM).

4. In the command prompt window running under SYSTEM context, run the executable file {BaseDirectory}\System Center Operations Manager 2007\ Microsoft.Mom.UI.Console.exe. By default the base directory is C:\Program Files\.

You should now be able to open SCOM 2007 Admin console using the SYSTEM context.

5. In the Admin Console, open Administration Pane and select User Roles.

6. Choose the Operations Manager Administrators user role and add the group/account you wish to use.

7. Test the solution by closing the Operations Manager Console and reopening it in the newly added context. You should be able to login now.

The resolution can be verified by checking for the recently added group in Authorization Manager. You should follow the same procedure as mentioned previously.

More Information

Overview on Authorization Manager :

Download PSExec from here :


For the most current version of this article please see the following:

2640222: How to change the Operations Manager 2007 Admin group if the original was deleted from Active Directory

J.C. Hornbeck | System Center Knowledge Engineer

App-V Team blog:
AVIcode Team blog:
ConfigMgr Support Team blog:
DPM Team blog:
MED-V Team blog:
OOB Support Team blog:
Opalis Team blog:
Orchestrator Support Team blog:
OpsMgr Support Team blog:
SCMDM Support Team blog:
SCVMM Team blog:
Server App-V Team blog:
Service Manager Team blog:
System Center Essentials Team blog:
WSUS Support Team blog:

clip_image001 clip_image002

Comments (1)

  1. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets. – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    Sign Up & Do registration for latest movies on Showbox application

Skip to main content