0 comments
Various 
Our servicedesk is using an adapted version of the GroupMaintenancemode-script from Boris Yanushpolski and his Agent maintenancemode script. These users are all OpsMgr operators and authors. Until recently this script worked fine for them, but i suspect a certain update with security-fixes initiated some problems in using this script.
The script, at some point, contains a check if a computer that is to be put in maintenance mode is the RMS. Since putting an RMS in maintenance mode can cause serious problems, we would want to prevent this in the script. This check now fails to execute for the servicedesk users because of insufficient privileges. I did some research and found that commandlets like: get-rootmanagementserver, get-managementserver etc. can no longer be executed by users in the operator or author roles. This will result in the following error:
This problem causes’ the script to throw an error and users/the script are not able to verify if the computer is the Root Management Server. Since I require that the script should be able to pass this verification I was looking for a different way to execute this check, other than making everyone an administrator, and eventually found one.
The healthservice Class contains a property called ‘IsRHS’ which tells us if the specific healthservice is the ‘Root Health Service’. Since the root health service only runs on the RMS this also tells us if the specific computer is the Root Management Server. Since operators are allowed to read this property this is a solution for our problem.
Below is a script to retrieve the property:
param($serverName)
$computerClass = get-monitoringclass -name:Microsoft.Windows.Computer
$healthServiceClass = get-monitoringclass -name:Microsoft.SystemCenter.HealthService
$principalNameProp = Get-MonitoringClassProperty -monitoringClass:$ComputerClass | where { $_.Name -eq ‘PrincipalName’ }
$computerPrincipalName = (get-monitoringobject -monitoringclass:$computerClass | Where-Object {$_.DisplayName -eq $serverName}).getmonitoringpropertyvalue($principalNameProp)
$computerCriteria = “PrincipalName='” + $computerPrincipalName + “‘”
$computer = get-monitoringobject -monitoringclass:$computerClass -criteria:$computerCriteria
$healthServices = $computer.GetRelatedMonitoringObjects($healthServiceClass)
$healthService = $healthServices[0]
if ($healthservice.getmonitoringpropertyvalue(($healthservice.getmonitoringproperties() | where-object {$_.Name -eq ‘IsRHS’})))
{
[String]::Format(“{0} contains the Root Health Service”, $computerPrincipalName)
}
Else
{
[String]::Format(“{0} does not contain the Root Health Service”, $computerPrincipalName)
}
If you save the script to ‘CheckRHS.ps1’ (which is also attached to this post as a zip-file)tr> pass thiss1’HTTP_STATU(a does not lassProperhiss1’HTTP_STATU(a does not l
le + “‘”Share this