Gareth Roberts Posted October 4, 2022 Posted October 4, 2022 Good afternoon, I was just looking for a bit of guidance if you have any on what permissions are required for the service account to be able to run automation in Active Directory (specifically the Active Directory Group Management, and Active Directory User Management packages)? I have the SIS set up, and have discovered a nearby DC and it is managed in ITOM. I have added creds that I know can create users, by testing it in ADUC. However, when I try to run a job from ITOM, I keep getting the following error: Remote job creation failed. It was not possible to connect to the remote system. Access is denied. If I sub out the creds for Domain Admin creds, it works with no issue. If I make the service account an admin on the DC, it works with no issue. However, based on least privileges, I simply can't make that service account a Domain Admin when it only needs to create and edit users. I've tried providing it with RDP permissions, making it a member of the Account Operators groups, but nothing else seems to work. I know this isn't so much a Hornbill issue, but was wondering if you'd come across this and had any guidance on it. Thanks, Gareth
Graham Posted October 4, 2022 Posted October 4, 2022 Hi @Gareth Roberts A couple of initial clarification questions: What do you mean when you say "the service account"? Is this an account that the SIS service is running under? When you say you've added credentials, to where have you added them? Graham
Gareth Roberts Posted October 4, 2022 Author Posted October 4, 2022 Thanks for getting back so quickly @Graham, 1. We use a service account that will run the jobs in AD. It's a domain account, which we provide required permissions to. 2. The credentials for the service account are saved into the Hornbill Keysafe, and referenced in the IT Automation Job node or within ITOM
Graham Posted October 4, 2022 Posted October 4, 2022 @Gareth Roberts When the SIS service runs a job remotely, an executable is copied to that remote system, along with the relevant package and the executable is started remotely. This is carried out in part using WMI and the error you are getting indicates that the SIS service is not able to establish a WMI connection to the remote system. The connection is made using the credentials specified in the "Admin" section of the job settings. The first thing I would check is that the service account has permission to connect via WMI to the remote machine. As a diagnostic step, I would suggest adding all permissions for the service account to the root node. If that solves the issue then the permissions can be reduced (I think you will need at least the Enable Account, Execute Methods and Remote Enable permissions) and those permissions can also be applied to just the CIMV2 node. Graham
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now