Geeks With Blogs
Jay Fox
Recently I was saddled with standing up Zenoss for our enterprise.  We're running about 1200 servers, so manually touching each box was not an option.  We use LANDesk for a lot of automated installs and patching - more about that later.

The steps below may not necessarily have to be completed in this order - it's just the way I did it.

Setup a standard AD user.  We want to do this so there's minimal security exposure.  Call the account what ever you want "domain/zenoss" for our examples.
Make the following local groups accessible by your zenoss account.
Distributed COM Users
Performance Monitor Users
Event Log Readers (which doesn't exist on pre-2008 machines)

Here's the Powershell script I used to setup access to these local groups:

# Created to add Active Directory account to local groups
# Must be run from elevated prompt, with permissions on the remote machine(s).

# Create txt file should contain the names of the machines that need the account added, one per line.
# Script will process machines line by line.
foreach($i in (gc c:\tmp\computers.txt)){

# Add the user to the first group
$objGroup=[ADSI]("WinNT://$i/Distributed COM Users")

# Add the user to the second group
$objGroup=[ADSI]("WinNT://$i/Performance Monitor Users")

# Add the user to the third group - Group doesn't exist on < Server 2008
#$objGroup=[ADSI]("WinNT://$i/Event Log Readers")


Setup security on the machines namespace so our domain/zenoss account can access it
The default namespace for zenoss is:  root/cimv2
Here's the Powershell script:

#Grant account defined below (line 11) access to WMI Namespace
#Has to be run as account with permissions on remote machine

function get-sid
Param (
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
$sid = get-sid "domain\zenoss"
$SDDL = "A;;CCWP;;;$sid"
$DCOMSDDL = "A;;CCDCRP;;;$sid"
$computers = Get-Content "c:\tmp\computers.txt"
foreach ($strcomputer in $computers)
    $Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
    $DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
    $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
    $converter = new-object Win32_SecurityDescriptorHelper
    $binarySD = @($null)
    $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
    $outsddl = $converter.BinarySDToSDDL($binarySD[0])
    $outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
    $newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
    $newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
    $WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
    $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
    $DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
    $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
    $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
    $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)

Get the SID for our zenoss account.

#Provide AD User get SID
$objUser = New-Object System.Security.Principal.NTAccount("domain", "zenoss")
 $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
Modify the Service Control Manager to allow access to the zenoss AD account.
This command can be run from an elevated command line, or through Powershell

sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
In step two the script plows through a txt file that processes each computer listed on each line.  For the other scripts I ran them on each machine using LANDesk.  You can probably edit those scripts to process a text file as well.

That's what got me off the ground monitoring the machines using Zenoss.  Hopefully this is helpful for you.  Watch the line breaks when copy the scripts.

Posted on Thursday, September 20, 2012 11:15 AM | Back to top

Comments on this post: Zenoss Setup for Windows Servers

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Jay Fox | Powered by: