5 Replies Latest reply on Oct 13, 2012 9:36 AM by Bill Robinson

    BL Agent and Exchange Rights

      I’m having some issues executing a powershell command to Start Dag Server Maintenance to administer exchange through a BL package.  The powershell script properly executes but it’s failing on the permissions of the agent on the exchange server.  I tried to add the agent to the exchange permissions list but it doesn’t accept the agent as a valid ID.  Any ideas on how to let the agent fully assume another ID?

        • 1. Re: BL Agent and Exchange Rights
          Bill Robinson

          what user are you mapped to on the exchange server through bladelogic? (do a custom command on the server and choose 'agentinfo' as the role:user that runs the job)

           

          what do you mean by 'add the agent to the exchange permissions list'?  do you mean you added the BladeLogicRSCD account to something?

           

          what is the powershell command running?

           

          can that run as a local account or does it need to run as a domain level account ?

          • 2. Re: BL Agent and Exchange Rights

            what user are you mapped to on the exchange server through bladelogic? (do a custom command on the server and choose 'agentinfo' as the role:user that runs the job)

             

            We are mapped to a local admin account on the server. I even directly added the bladlogic RSCD agent to the local admin group on the server.

             

            what do you mean by 'add the agent to the exchange permissions list'? do you mean you added the BladeLogicRSCD account to something?

             

            The powershell script runs through the exchange remote shell console. Basically a remote powershell console with exchange cmdlets. So the shell is running locally on the server but is trying to contact other exchange servers to enter it into dag maintenance mode. The id executing the script needs to be added to the exchange permissions list via exchange mgmt commands. But when i try to add it via system name / bladelogic RSCD it kicks back a not valid id because it is not AD based.

             

            what is the powershell command running?

             

            It’s an out of the box exchange Start and stop DAG maint script.

             

            can that run as a local account or does it need to run as a domain level account ?

             

            There is nothing documented by microsoft that says it cannot use a local account but I can’t get it to work. Only AD accounts will work.

             

            The only way I think this will work is with automation principles. or is there a way to have the local BL agent execute the powershell script as another user?

            • 3. Re: BL Agent and Exchange Rights
              Bill Robinson

              I would take the BladeLogicRSCD account out of the local Administrators group. 

               

              there should be a way to pass in alternative credentials to the powershell script - that should show in the powershell help or microsoft documentation.

               

              You may need to use the AP as you suggest.

               

              can you login to the target server as the local admin and run the powershell script ?

              • 4. Re: BL Agent and Exchange Rights

                There is a lot on executing a powershell script as another user but I haven't had any luck so far.  I'm trying to create a external command in a BLpackage to switch the execution user.  In a external command I call powershell then try to run simple commands to start but it always hangs and doesn't account for returns.  So anything I put in is executed as a string.