A security warning on Domain Controllers

I ran across a post on TechNet today with questions on what security holes could be opened to administrators to SCOM; I wanted to point out one of the largest items that may not be immediately apparent.

This applies specifically to Domain Controllers, but once someone has access there its pretty much a free-for-all to your domain.

If your SCOM agent runs as local system on the Domain Controllers and scripts launched from the agent could potentially have Domain Administrator Level access to the AD infrastructure.

More on the Local-System and Domain interaction here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/652e82f1-fdb6-46b7-b90e-c62fb37d583a/system-account-in-domain-controller?forum=winserverDS

Balance Agents across Management Servers

The primary environment that I manage is crossing the 3000 server mark, which is what Microsoft lists as the supported max on a single management server.  To keep things under control and automated I created the quick below script from bits from around the internet, I thought it might be useful to someone else so I figured I share it.

Please post any questions you may have and I’ll try to answer them as soon as I can.

The script takes 3 parameters and needs to run on a server where the PowerShell module is installed.

  1. ManagementServer – This is the server you want the script to connect to when it runs.
  2. ServersToExclude – In my case I have a few servers set aside for Linux and SNMP monitoring, I added this to prevent the servers from being set as the Primary Management Server.  All Management servers are added to the FailOver List.
  3. UseServerDigits – This is a switch, I needed a way to distribute the agents that wasn’t random, this way each run of the script doesn’t re-shuffle the agents.  When this switch is enabled it tries to get the last digits in the servers name via regex and use those to place the server.

The Script Code:

param([string]$ManagementServer,[string]$ServersToExclude,[switch]$UseServerDigits)

#Import module and connect to the management server specified
Import-Module OperationsManager
New-SCOMManagementGroupConnection $ManagementServer

#Get the agents and management servers
$Agents = Get-SCOMAgent
$ManagementServers = Get-SCOMManagementServer

#Create two lists that will be used to hold the management servers, 
#$one will contain all servers for the failover list and the other will contain the servers to be set as primary
$AllMSList = New-Object 'System.Collections.Generic.List[Microsoft.EnterpriseManagement.Administration.ManagementServer]'
$PrimaryMSList = New-Object 'System.Collections.Generic.List[Microsoft.EnterpriseManagement.Administration.ManagementServer]'

#Process each management server we received
ForEach($MS in $ManagementServers)
    {
        #Add Every Managment Server to the first list
        $AllMSList.add($MS)
        If($ServersToExclude -notcontains $MS.ComputerName)
            {
                #Only add these servers if they are not in the servers to exclude list
                $PrimaryMSList.add($MS)
            }
    }
    
    
#loop through all servers
ForEach($Agent in $Agents)
    {
        If($Agent.DisplayName -match '(?<Digits>\d+)[^\d]*$' -and $UseServerDigits)
            {
                #Now that we have the rightmost number, do a modulus against the count of managment servers
                $ServerToAssignTo = $Matches.Digits % $PrimaryMSList.Count
               
                #Save some work if the server is already assigned here
                If($Agent.PrimaryManagementServerName -ne $PrimaryMSList[$ServerToAssignTo].DisplayName)
                    {
                        $Agent.SetManagementServers($PrimaryMSList[$ServerToAssignTo],$AllMSList)
                    }
            }
        Else
            {
                #This server appears to have no numbers in its name, or regex failed
                $ServerToAssign = Get-Random -Maximum $PrimaryMSList.Count -Minimum 0
              
                #Save some work if the server is already assigned here
                If($Agent.PrimaryManagementServerName -ne $PrimaryMSList[$ServerToAssignTo].DisplayName)
                    {
                        $Agent.SetManagementServers($PrimaryMSList[$ServerToAssignTo],$AllMSList)
                    }
            }
            
        
    }