OpsMgr 2007: AD_Replication_Monitoring.vbs (From Active Directory Management Pack) fails

We've had a couple calls on this so I thought I'd send out a heads up just in case you run into it:

========

Problem: The AD_Replication_Monitoring.vbs script from the Active Directory Management pack may fail to run and an alert similar to below may appear in the Operations Manager Console:

Alert Properties
------------------------
Description:
The process started at <hh:mm:ss> failed to create
System.PropertyBagData. Errors found in output:
C:\Program Files\System Center Operations Manager 2007\Health Service
State\Monitoring Host Temporary Files 13\268\AD_Replication_Monitoring.vbs (64, 1)
Microsoft
VBScript runtime error: Permission denied Command executed:
"C:\WINNT\system32\cscript.exe" //nologo "C:\Program Files\System Center Operations
Manager 2007\Health Service State\Monitoring Host Temporary
Files\13\268\AD_Replication_Monitoring.vbs"
<hostname.domain.com><NetBios><hostname.domain.com> 15 5 24 false true 6 300 true
24 {GUID} Working Directory: C:\Program Files\System Center Operations Manager
2007\Health Service State\Monitoring Host Temporary Files\13\268\ One or more
workflows
were affected by this. Workflow name:
AD_Replication_Monitoring.PerformanceCollection_3 Instance name: <NetBios> Instance
ID: <GUID> Management group <Management Group Name>

Here is the critical part of the VBScript:
-----------------
Dim sStateValuePath
sStateValuePath= "HKLM\" & oAPI.GetScriptStateKeyPath(oParams(12))
' Registry Path to share data across scripts
Dim REG_Key
REG_Key = sStateValuePath & "\AD Management Pack\AD Replication Monitoring"
Later in the script, the following Sub writes to the key:
Sub SetData(strKey, strData)
'
' Purpose: To store data in a varset. If the key exists then the data
' associated with that key is replaced, otherwise the key/data
' combination is added to the varset.
'
' Arguments: strKey, the key of the line to replace
' strData, the data to associate with the key
'
' Returns: Nothing
'
If IsNull(oReg) Then
Set oReg = CreateObject("WScript.Shell")
End If
Call oReg.RegWrite(REG_Key & "\" & strKey , strData )
Err.Clear
End Sub

Cause: The problem occurs if the account running the script does not have the necessary permissions to READ/WRITE to the registry key above.  If this happens the script will fail as there is no error handling in the script. As documented in the AD Management Pack Guide, a low privilege user can be used, however it does not state that they need access to write to this registry key.

Resolution:

1. Run Process Monitor and then launch the script manually from a CMD prompt.
2. Evaluate the Process Monitor Log for somthing similar to:
3. 12574 12:24.4 cscript.exe 4860 RegOpenKey HKLM\SOFTWARE\Microsoft\Microsoft Operations
   Manager\3.0\Modules\{716E66BD-BE85-7F4a-)EE3-70DBC249FE14}\S-1-5-21-1417001333-34381
   8398-1801674531-494020 ACCESS DENIED
4. Give the Action Account Modify (READ/WRITE) permissions to HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager.

Once you do this you should be good to go.  Special thanks to Michael Sadoff for helping track this one down.

Frank Novak | Manageability Support Engineer