ITOM Service Account permissions for AD packages

[Gareth Roberts]

Good afternoon,

I was just looking for a bit of guidance if you have any on what permissions are required for the service account to be able to run automation in Active Directory (specifically the Active Directory Group Management, and Active Directory User Management packages)? I have the SIS set up, and have discovered a nearby DC and it is managed in ITOM. I have added creds that I know can create users, by testing it in ADUC. However, when I try to run a job from ITOM, I keep getting the following error: 

Remote job creation failed. It was not possible to connect to the remote system. Access is denied.

If I sub out the creds for Domain Admin creds, it works with no issue. If I make the service account an admin on the DC, it works with no issue. However, based on least privileges, I simply can't make that service account a Domain Admin when it only needs to create and edit users. I've tried providing it with RDP permissions, making it a member of the Account Operators groups, but nothing else seems to work. I know this isn't so much a Hornbill issue, but was wondering if you'd come across this and had any guidance on it.

Thanks,

Gareth

[Graham]

Hi @Gareth Roberts

A couple of initial clarification questions:

1. What do you mean when you say "the service account"? Is this an account that the SIS service is running under?
2. When you say you've added credentials, to where have you added them?

Graham

[Gareth Roberts]

Thanks for getting back so quickly @Graham,

1. We use a service account that will run the jobs in AD. It's a domain account, which we provide required permissions to.

2. The credentials for the service account are saved into the Hornbill Keysafe, and referenced in the IT Automation Job node or within ITOM

[Graham]

@Gareth Roberts

When the SIS service runs a job remotely, an executable is copied to that remote system, along with the relevant package and the executable is started remotely. This is carried out in part using WMI and the error you are getting indicates that the SIS service is not able to establish a WMI connection to the remote system. The connection is made using the credentials specified in the "Admin" section of the job settings.

The first thing I would check is that the service account has permission to connect via WMI to the remote machine. As a diagnostic step, I would suggest adding all permissions for the service account to the root node. If that solves the issue then the permissions can be reduced (I think you will need at least the Enable Account, Execute Methods and Remote Enable permissions) and those permissions can also be applied to just the CIMV2 node.

Graham