Missing Permissions to create default profile for IT Monitoring Console

I have read all the permissions needed to create the default profile for IT Monitoring Console. The application is installed however, the default profile isn't showing. I am curious to know if I am missing some permissions somewhere as when I try to actually create a profile I receive a COM+ application error and states I cannot create the profile, access denied. If someone would be so gracious to help me out on what I am potentially missing as far as permissions go, that would be awesome.

 

Any feedback would be great!

 

Thanks,

Nicole

  • Hi Nicole,

    Can you share the exact "access denied" error? There are a few different ones so important we know which one you see there just in case.

    Most common issue is with UAC. Please try the following:

    1. Right-click Internet Explorer and select "Run as Administrator"
    2. Enter the path of the Monitoring Console: http://<intrust_server>/ITMonitoring/Administration/
    3. Create the Alert Profile

    Regards,
    Chris

  • In reply to Chris.Hood:

    Chris:

    Good Morning! Attached is the error that I am receiving when trying to create a profile. There should also be a default profile as there are alerts already set up that you can view in the Repo Viewer. That default profile was not automatically created as I don't know what permissions could be missing or if UAC could of cause that issue. I did run IE as administrator and still received the same error. Please advise.

     

    Thanks,

    Nicole

  • In reply to nicole.h.dodd.ctr:

    Hi Nicole,

    Were you able to create the profile?

    Please review this SysReq section about the rights needed to create the profile:

    1. Administrator role for COM+ System Application: To check if you have the Administrator role, open the Component Services MMC snap-in on the computer with Monitoring Console, and view the Computers | My Computer | COM+ Applications | System Application | Roles | Administrator | Users node. Local Administrators group is there by default, so if you are the member of local Administrators, it should work.
    2. Membership in the "InTrust Alerting Admins" local group. Add yourself manually into this group.
    3. If you are trying to create a profile locally on the computer where Mon Console is installed, and User Account Control is turned on, to open the Monitoring Console Administration page, Internet Explorer must be started using the Run as administrator command (from the Windows main menu, right-click and "run as administrator").
  • In reply to Igor.Ilyin:

    Igor:

    I was not able to create the profile. Please see comments on the following:

     1.  Administrator role for COM+ System Application: The account that I am using is the account that was created for all Intrust installation. It has admin rights for anything related to Intrust. It is a part of the security group that has been added to the COM+ application roles as well as adding it directly.

       2. Membership in the "InTrust Alerting Admins" local group: The user account has been added to this group directly.

       3. If you are trying to create a profile locally on the computer where Mon Console is installed, and User Account Control is turned on, to open the Monitoring Console Administration page, Internet Explorer must be started using the Run as administrator command (from the Windows main menu, right-click and "run as administrator"): Our environment is locked down and I am not allowed to use IE on the server itself. I was trying to create a profile from my workstation and received the error. SIDE NOTE: During the installation of the monitoring console there should be a default profile created. That profile is NOT being created as well as not being able to create one after the fact. Is there something that I am missing during the installation of the monitoring console that is NOT allowing the default profile to be created?

    Please see attached screen shots of the account and groups.

     

    Thanks,

    Nicole

  • In reply to nicole.h.dodd.ctr:

    I was able to get this COM+ access denied error only if I was not a member of COM+ Administrator role. But you say this USAR_InTrustAgent is. Maybe COM+ configuration is not fresh? Try to restart COM+ System Application on the host with MonConsole, via services snapin or via command line "net stop comsysapp"/"net start comsysapp" and then create profile again. Also please provide the list of COM+ Applications from Component Services | Computers | My Computer | COM+ Applications node. Are there any Dell/Quest apps?
  • In reply to Igor.Ilyin:

    Igor:

    Attached is the screen shot of the COM+ Applications node. As for the COM+ Application service, it was restarted and the same users are in the administrator role for System Application. Please advise.

     

    Thanks,

    Nicole

  • In reply to nicole.h.dodd.ctr:

    Also,

    Can you tell me how IIS should be set up for authentication for the monitoring console as well or direct me to documentation on where to find the configuration/

    Thanks,
    Nicole
  • In reply to nicole.h.dodd.ctr:

    Thank you Nicole,

    The authentication required by Mon Console is Windows Authentication.

    Some additional questions.

    1. I see the Dell Alerting Profile there. When it was created and did you use it successfully before? If yes, what happened in between? Did you upgrade?
    2. Is Mon Console installed together with InTrust Server or on separate machine?
    3. Is this USAR_InTrustAgent account a member of local Administrators group? Domain Admins Group?
    4. Is this USAR_InTrustAgent account also used as InTrust Server services account?
    5. What is your policy with MS updates and in particular do you have installed updates mentioned here:

    support.quest.com/.../real-time-collections-not-working-after-installing-kb4056890-windows-server-2016-kb4056898-windows-server-2012-r2-or-kb4056899-windows-2012-

    Thanks.

  • In reply to Igor.Ilyin:

    Igor:

    1.  I see the Dell Alerting Profile there. When it was created and did you use it successfully before? If yes, what happened in between? Did you upgrade? The default profile was there before and working as normal. I upgraded from 11.0 to 11.1 to 11.3.

    2.   Is Mon Console installed together with InTrust Server or on separate machine? Mon console is installed on the same server as Intrust Man, however I do have Intrust Man installed on more than 1 of the Intrust servers (if that even matters)

    3. Is this USAR_InTrustAgent account a member of local Administrators group? Domain Admins Group? USAR_IntrustAgent is a member of the local admin group and is an enterprise admin. It is not a domain admin.

    4. Is this USAR_InTrustAgent account also used as InTrust Server services account? USAR_IntrustAgent is used for the service account as well as everything else for Intrust.

    5.    What is your policy with MS updates and in particular do you have installed updates mentioned here: Our policy is based on Critical monthly patches. We have an organization that determines what patches are to be applied to our systems. KB4056898 (Windows Server 2012 R2) was installed on 2/23/2018. We were experiencing this issue before that patch was installed.

    Please advise. I greatly appreciate all feedback thus far.

    Thanks,

    Nicole

  • In reply to nicole.h.dodd.ctr:

    Hi Nicole.

    Thank you.
    When I mentioned the updates I meant this KB4056898 was harmful to some functionality in our product, so we recommend to install KB4057401on top asap.
    Let's continue: you logon with this USAR_IntrustAgent user on some desktop machine and you're using a browser to connect to the server where InTrust Monitoring Console is installed, is this right? You said "you're not allowed to use IE on the server itself". Is it possible to ask you or admins to create the empty COM+ application on this Server for testing purposes? Like this: logon under USAR_IntrustAgent account on the Server where Mon Console is installed, run Component Services | Computers | My Computer | COM+ Applications, right click, New -> Application -> "Create an empty application", and then finish the wizard with default settings? If the result is success, then account has enough rights indeed.
  • In reply to Igor.Ilyin:

    Igor:

    I will see what I am allowed to do for KB4057401. I was able to get my servers in logging mode and IE is no longer blocking. I tried to create a profile on the server using IE under the USAR_IntrustAgent account and received access denied. This was right clicking and running as different user and putting in the USAR_Intrustagent account information. I was able to create an empty application. Please see attached.

     

    Thanks,

    Nicole

  • In reply to nicole.h.dodd.ctr:

    Igor:

    For KB4057401, it was in the January roll up of this year. We aren't able to roll back to that unless I am confused on the KB you are wanting to have installed on top of the KB that just came out this month.

    Please let me know when you can.

    Thanks,
    Nicole
  • In reply to nicole.h.dodd.ctr:

    Hi Nicole.

    About updates, KB4056898 came out on January 3, and the fixed one KB4057401 came out on January 17. I do not ask for any rollback.

    About the error. I did not understand, when you create test app, why you need to run "as a different user" if you're already logged under this USAR_Intrustagent? I assume that you're logged under this account and do everything under it and no other accounts are involved. Please clarify.

    You said that on the same machine there is InTrust Manager, right? I would like to know exactly which Dell/Quest apps you have on this machine with exact versions. Is there a chance that you have different versions mixed-up or all of them are 11.3.0.1464? And since you had an upgrade, the installation folder is still Dell, is this correct? Well, the thread is growing, maybe it's better to raise the support case and have a webex...
  • In reply to Igor.Ilyin:

    Igor:

    Hello.

    The latest roll up that we currently have installed on our machines is KB4074594 which is the February roll up.

    When I created the test app, I just ran the MMC and created it with the USAR_Intrustagent. It created successfully. I didn't run anything as different user.

    I ran IE as different user on the server as run as admin wasn't available to try to create a profile and the error that I sent was what I got. (access denied)

    Yes, Intrust Man is on the same machine as the monitoring console. Please see attached versions as well as the folders under C:\Program Files(x86)

     

    Please let me know if you have any questions.

    Thanks,

    Nicole

  • In reply to nicole.h.dodd.ctr:

    Hi Nicole.

    To make "run as admin" available run IE and pin it to taskbar, after that Shift+Right click on the pinned icon.
    I will ask for couple more things. First, could you please go to the installation folder of MonConsole (or the whole folder with all InTrust components) and explicitely add Modify permission with propagation to all subfolders and files for the account you are using to create the profile.
    And second, how about trying to install and use Mon Console on another machine? Will the behavior be the same? If none of the above is OK then please open the support case. Thank you.