12 March 2011

The Day IT Security Policy Gave Me The Banana Skin

Ever wondered that one day you will be given the “warm” welcome by the IT security team because of their unique security policy.

I was trying to deploy some OpsMgr agents to some servers which sits in DMZ. No worries, just open the firewall and we are clear to go. Discovery Wizard got it, agent installation successful and we should expect them to show up in Monitoring soon … but hey, wait a sec … why the agent version is unknown and the health status is Grey (unable to contact agent)

image

Lets  take a look at the Agent Patch version. Its supposed to be CU4. Ouch, the server does not have the version detected. Not Good

image

Lets go in to the monitored server and have a look at the event viewer. Wow! I get tons of event 21400. Discovery scripts kept failing because it cannot find the CScript.exe file to run the VBS scripts.image

When I look at the folder, wow CScript.exe is missing. No wonder SCOM cannot execute the discovery scripts

image

A quick chat with the administrator, apparently once upon a time. Their security team has this policy of not allowing system executable file to reside in C:\Windows\System32 folder. Anyways that policy does not apply now and we just need to copy the file back to System32 folder.

To be safe, I restarted the Health Service on the monitored server to kickstart discovery tasks immediately. Within a minute … it worked like a charm.

image