Recently I was saddled with standing up Zenoss for our enterprise. We're running about 1200 servers, so manually touching each box was not an option. We use LANDesk for a lot of automated installs and patching - more about that later.
The steps below may not necessarily have to be completed in this order - it's just the way I did it.
STEP ONE:
Setup a standard AD user. We want to do this so there's minimal security exposure. Call the account what ever you want "domain/zenoss" for our examples.
***********************************************************
STEP TWO:
Make the following local groups accessible by your zenoss account.
Distributed COM Users
Performance Monitor Users
Event Log Readers (which doesn't exist on pre-2008 machines)
Here's the Powershell script I used to setup access to these local groups:
# Created to add Active Directory account to local groups
# Must be run from elevated prompt, with permissions on the remote machine(s).
# Create txt file should contain the names of the machines that need the account added, one per line.
# Script will process machines line by line.
foreach($i in (gc c:\tmp\computers.txt)){
# Add the user to the first group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Distributed COM Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
# Add the user to the second group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Performance Monitor Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
# Add the user to the third group - Group doesn't exist on < Server 2008
#$objUser=[ADSI]("WinNT://domain/zenoss")
#$objGroup=[ADSI]("WinNT://$i/Event Log Readers")
#$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
}
**********************************************************
STEP THREE:Setup security on the machines namespace so our domain/zenoss account can access it
The default namespace for zenoss is: root/cimv2
Here's the Powershell script:
#Grant account defined below (line 11) access to WMI Namespace
#Has to be run as account with permissions on remote machine
function get-sid
{
Param (
$DSIdentity
)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}
$sid = get-sid "domain\zenoss"
$SDDL = "A;;CCWP;;;$sid"
$DCOMSDDL = "A;;CCDCRP;;;$sid"
$computers = Get-Content "c:\tmp\computers.txt"
foreach ($strcomputer in $computers)
{
$Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
$DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
$security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$binarySD = @($null)
$result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
$outsddl = $converter.BinarySDToSDDL($binarySD[0])
$outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
$newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
$newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
$WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
$WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
$DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
$DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
$result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
$result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)
}
***********************************************************
STEP FOUR:Get the SID for our zenoss account.
Powershell
#Provide AD User get SID
$objUser = New-Object System.Security.Principal.NTAccount("domain", "zenoss")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
******************************************************************
STEP FIVE:Modify the Service Control Manager to allow access to the zenoss AD account.
This command can be run from an elevated command line, or through Powershell
sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;PUT_YOUR_SID_HERE_FROM STEP_FOUR)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
******************************************************************
In step two the script plows through a txt file that processes each computer listed on each line. For the other scripts I ran them on each machine using LANDesk. You can probably edit those scripts to process a text file as well.
That's what got me off the ground monitoring the machines using Zenoss. Hopefully this is helpful for you. Watch the line breaks when copy the scripts.