Eric_Singer
Joined 10 years ago
User Profile
User Widgets
Contributions
Active Discovery Scripts for no instances datasources
I think it would be really helpful if we could utilize active discovery scripts and what not for cases where there is no instances per se. The "applies to" is simply too inflexible to be used as the sole discovery method. For example, simply checking for the existence of a WMI class would be a great way to ensure we're only applying a data source to devices where that datasource apply.16Views0likes2CommentsRe: PSA: Collect from windows systems without admin rights
Hi, Wanted to provide an update. Unfortunately, I've been finding a number of missing data sources. They're not always easy to spot, but one perfect example is anything that's monitoring a windows service. I have a fix for that, but it's still not a complete fix. There are many services (such as the cluster service) that are limited to only to local admins / system. So even if you follow the fix I'll share, you still aren't going to get all the services. At this point, it doesn't even seem if you had a local LM account without admin rights that you would get everything without more work. As for monitoring services, you need to run this command once on each host you want to monitor. Start-Process -FilePath "sc.exe" -ArgumentList "sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)" -Wait -NoNewWindow32Views0likes0CommentsRe: PSA: Collect from windows systems without admin rights
36 minutes ago, IT GUY said: Thanks Eric that makes sense. Also did you have any issues runnning the Set-WMINameSecurity powershell script as a scheduled task? Manuallly running the power shell commands it adds the correct wmi permission but it seems running from task schedule it doesn't do anything. What I ended up doing was taking all the individual actions MS recommended in their task and add them into a single powershell script that i called without any parameters. I called their script inside that script. For example, i created a folder using GPP on the local system called "remote wmi access" I then copied MS script "set-wmi....." I then copied custom script with the below commands in it to the same folder Finally, I had my schedule task call the custom script locally, so "powershell.exe -file "customscript.ps1" . "c:\scripts\Remote WMI Access\Set-WMINameSpaceSecurity.ps1" -namespace root/cimv2 -account “domain\Group or user” -operation Add -permissions Enable . "c:\scripts\Remote WMI Access\Set-WMINameSpaceSecurity.ps1" -namespace root/cimv2 -account “domain\Group or user”” -operation Add -permissions RemoteAccess Restart-Service winmgmt -force34Views0likes0CommentsRe: PSA: Collect from windows systems without admin rights
4 hours ago, IT GUY said: I'm trying to implement this on a 2016 server and running into some issues. The logic monitor service doesn't start even though the service account is in the local distributed com users group. Putting the account into administrators group works. Event log shows that the service account doesn't have dcom permissions which is strange since it's in the group that's' supposed to give it access to DCOM. Any help would be interested. Sorry for any confusion. The LogicMonitor collector service must still run as a local admin account, at least as far as i'm aware. The solution is to allow that collector to remotely pole Windows devices with a service account that isn't a local admin. Meaning: Collector Server Name = WinCollector Collector Account = UserCollector Remote Server to Poll = "RemoteServerIWantToPoll" The account "UserCollector" must be a local admin on the server "WinCollector" BUT the service account "UserCollector" doesn't need to be a local admin on server "RemoteServerIWantToPoll".34Views0likes0CommentsRe: Read only agent / collector
On 8/2/2018 at 2:07 AM, Tanvir said: @ Matthew Dunham Any update on this? Hi @Tanvir have you seen my more recent thread /topic/2029-psa-collect-from-windows-systems-without-admin-rights/ I've been running this for a few weeks and so far it's working well.1View0likes0CommentsRe: PSA: Collect from windows systems without admin rights
23 hours ago, Eric Singer said: Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights. I have done a brief test with LM and it seems to be working well. https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/ That's the article. I created an AD group instead of a user to delegate, and I put the LM collector service in that group. Everything else I've followed as documented. I haven't tested anything else, but this alone is a huge step in the right direction. I wanted to add one more step, you also need to add that same account you're delegating access to in the MS article to the "performance monitor users" local group as well. Then restart the collector.49Views0likes0CommentsPSA: Collect from windows systems without admin rights
Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights. I have done a brief test with LM and it seems to be working well. https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/ That's the article. I created an AD group instead of a user to delegate, and I put the LM collector service in that group. Everything else I've followed as documented. I haven't tested anything else, but this alone is a huge step in the right direction.96Views3likes7CommentsRe: FYI: LM can trigger ESXi 6.5 hostd to crash
No KB that i'm aware of. Their RCA was... Good Morning! Here is the root cause our Engineering has identified, Looking at the threads in hostd, we see that there are lots of threads blocked on the lock of the host managed object. 11 threads (threads 12, 14, 15, 16, 17, 18, 19, 20, 21, 26, 27) were blocked trying to read-lock the host. The thread that holds the read lock is thread 2. It is blocked in some vsan. A code in the GetRuntime() property decided to perform some RPC operations and blocked waiting on a condition variable. This caused a deadlock. This depends on whether the event that the vsan stub was waiting for would be generated from an I/O thread (in which case the thread would eventually be unblocked), or the event needed a worker thread to be generated (in which case it would be a deadlock by thread starvation). As the root cause for the bug is that a piece of VSAN code which is causing a deadlock, our Engineering is working with vSAN team to get the insight of the respective property.0Views0likes0Comments