• Locked Locked
  • Replies 21 replies
  • Subscribers 14 subscribers
  • Views 17561 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Missing Permissions to create default profile for IT Monitoring Console

nicole.h.dodd.ctr
over 6 years ago

I have read all the permissions needed to create the default profile for IT Monitoring Console. The application is installed however, the default profile isn't showing. I am curious to know if I am missing some permissions somewhere as when I try to actually create a profile I receive a COM+ application error and states I cannot create the profile, access denied. If someone would be so gracious to help me out on what I am potentially missing as far as permissions go, that would be awesome.

 

Any feedback would be great!

 

Thanks,

Nicole

  • over 6 years ago

    Igor:

    I will see what I am allowed to do for KB4057401. I was able to get my servers in logging mode and IE is no longer blocking. I tried to create a profile on the server using IE under the USAR_IntrustAgent account and received access denied. This was right clicking and running as different user and putting in the USAR_Intrustagent account information. I was able to create an empty application. Please see attached.

     

    Thanks,

    Nicole

  • over 6 years ago
    Igor:

    For KB4057401, it was in the January roll up of this year. We aren't able to roll back to that unless I am confused on the KB you are wanting to have installed on top of the KB that just came out this month.

    Please let me know when you can.

    Thanks,
    Nicole
  • over 6 years ago
    Hi Nicole.

    About updates, KB4056898 came out on January 3, and the fixed one KB4057401 came out on January 17. I do not ask for any rollback.

    About the error. I did not understand, when you create test app, why you need to run "as a different user" if you're already logged under this USAR_Intrustagent? I assume that you're logged under this account and do everything under it and no other accounts are involved. Please clarify.

    You said that on the same machine there is InTrust Manager, right? I would like to know exactly which Dell/Quest apps you have on this machine with exact versions. Is there a chance that you have different versions mixed-up or all of them are 11.3.0.1464? And since you had an upgrade, the installation folder is still Dell, is this correct? Well, the thread is growing, maybe it's better to raise the support case and have a webex...
  • over 6 years ago

    Igor:

    Hello.

    The latest roll up that we currently have installed on our machines is KB4074594 which is the February roll up.

    When I created the test app, I just ran the MMC and created it with the USAR_Intrustagent. It created successfully. I didn't run anything as different user.

    I ran IE as different user on the server as run as admin wasn't available to try to create a profile and the error that I sent was what I got. (access denied)

    Yes, Intrust Man is on the same machine as the monitoring console. Please see attached versions as well as the folders under C:\Program Files(x86)

     

    Please let me know if you have any questions.

    Thanks,

    Nicole

  • over 6 years ago
    Hi Nicole.

    To make "run as admin" available run IE and pin it to taskbar, after that Shift+Right click on the pinned icon.
    I will ask for couple more things. First, could you please go to the installation folder of MonConsole (or the whole folder with all InTrust components) and explicitely add Modify permission with propagation to all subfolders and files for the account you are using to create the profile.
    And second, how about trying to install and use Mon Console on another machine? Will the behavior be the same? If none of the above is OK then please open the support case. Thank you.
  • over 6 years ago
    Igor:

    So I was able to create a profile with the usar_intrustagent account. I ran IE in task bar as admin. The usar_intrustagent account already had full permissions under the admin group on the machine. What I am not sure about is why didn't it install as a default profile instead of having to go in and create it during the installation of mon console? I also had to add the domain in front of the user account in run as to create the profile correctly.

    Please let me know if you have any advice on why it didn't create it automatically during the install as the default profile.

    Thanks,
    Nicole
  • over 6 years ago
    Hi Nicole,

    I'm glad you're able to create it, now you can continue working with the product.
    It's unclear to me though, was this due to the actions we performed during investigation or not? I mean what exactly helped, was it the installation folder permissions issue? BTW, are you able now to create another profile remotely from your desktop under that account? If it was a folder permissions issue, it prevented profile creation during the regular installation also.
    Possible reason might be that you installed Monitoring Console separately, not within InTrust Suite. The Default Profile is created only if the components're installed altogether. And the Suite is launched with escalated privileges automatically which helps to get rid of such issues with permissions.
  • over 6 years ago
    Igor:

    No, it was not due to permissions on the folder installation as I did NOT change the permissions. The Monitoring console and Intrust Man are installed on the same server not different ones. The 3 things I did differently were the following:

    1. I was able to get my server out of GPO that blocked IE from working on the server
    2. I was able to run IE as admin on the server by adding it to the taskbar
    3. I added the domain in front of the Usar_Intrustagent username during the successful creation of the profile

    I have not tried to create a profile from my desktop as I do not log into a workstation with a service account. That is against our policies. However, I did try to create a profile under my normal user account from my workstation and received the COM+ application error. I am wondering if either it was the domain not in front of the username during the installation or if UAC may have caused the issue even though I ran the installation as admin. I appreciate all of your help with this issue. I am glad we were able to fix it.

    Thanks,
    Nicole
  • over 6 years ago
    Hi Nicole,

    OK, got it. Well, I think I need to describe some best practices regarding InTrust accounts. The account USAR_domain\USAR_IntrustAgent as you say is used for InTrust services, and you're not allowed to logon under it, that's ok. But you also should have the account for installation and configuration purposes, let's say USAR_domain\Nicole. This account should also be powerful enough and have certain permissions. The COM+ admin permissions and the membership in InTrust Alerting Admins should be granted to that USAR_domain\Nicole, while inside the profile you specify USAR_domain\USAR_IntrustAgent. So, the COM+ application is created by USAR_domain\Nicole but is running under USAR_domain\USAR_IntrustAgent. And of course it goes without saying, when the program asks to specify any account it should be a pair domain\username.
    Nicole, if you consider the question is answered, may I ask you to mark the whole thread as "solved". Also please do the same for other threads in this forum, if any. Thanks a lot.
  • over 6 years ago

    Igor:

     

    That does make sense. I appreciate your feedback. Thank you for your help. Can you tell me how to mark it as solved?

     

    Thanks again,

    Nicole