This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Missing Permissions to create default profile for IT Monitoring Console

I have read all the permissions needed to create the default profile for IT Monitoring Console. The application is installed however, the default profile isn't showing. I am curious to know if I am missing some permissions somewhere as when I try to actually create a profile I receive a COM+ application error and states I cannot create the profile, access denied. If someone would be so gracious to help me out on what I am potentially missing as far as permissions go, that would be awesome.

 

Any feedback would be great!

 

Thanks,

Nicole

  • Hi Nicole,

    Can you share the exact "access denied" error? There are a few different ones so important we know which one you see there just in case.

    Most common issue is with UAC. Please try the following:

    1. Right-click Internet Explorer and select "Run as Administrator"
    2. Enter the path of the Monitoring Console: http://<intrust_server>/ITMonitoring/Administration/
    3. Create the Alert Profile

    Regards,
    Chris

  • Chris:

    Good Morning! Attached is the error that I am receiving when trying to create a profile. There should also be a default profile as there are alerts already set up that you can view in the Repo Viewer. That default profile was not automatically created as I don't know what permissions could be missing or if UAC could of cause that issue. I did run IE as administrator and still received the same error. Please advise.

     

    Thanks,

    Nicole

  • Hi Nicole,

    Were you able to create the profile?

    Please review this SysReq section about the rights needed to create the profile:

    1. Administrator role for COM+ System Application: To check if you have the Administrator role, open the Component Services MMC snap-in on the computer with Monitoring Console, and view the Computers | My Computer | COM+ Applications | System Application | Roles | Administrator | Users node. Local Administrators group is there by default, so if you are the member of local Administrators, it should work.
    2. Membership in the "InTrust Alerting Admins" local group. Add yourself manually into this group.
    3. If you are trying to create a profile locally on the computer where Mon Console is installed, and User Account Control is turned on, to open the Monitoring Console Administration page, Internet Explorer must be started using the Run as administrator command (from the Windows main menu, right-click and "run as administrator").
  • Igor:

    I was not able to create the profile. Please see comments on the following:

     1.  Administrator role for COM+ System Application: The account that I am using is the account that was created for all Intrust installation. It has admin rights for anything related to Intrust. It is a part of the security group that has been added to the COM+ application roles as well as adding it directly.

       2. Membership in the "InTrust Alerting Admins" local group: The user account has been added to this group directly.

       3. If you are trying to create a profile locally on the computer where Mon Console is installed, and User Account Control is turned on, to open the Monitoring Console Administration page, Internet Explorer must be started using the Run as administrator command (from the Windows main menu, right-click and "run as administrator"): Our environment is locked down and I am not allowed to use IE on the server itself. I was trying to create a profile from my workstation and received the error. SIDE NOTE: During the installation of the monitoring console there should be a default profile created. That profile is NOT being created as well as not being able to create one after the fact. Is there something that I am missing during the installation of the monitoring console that is NOT allowing the default profile to be created?

    Please see attached screen shots of the account and groups.

     

    Thanks,

    Nicole

  • I was able to get this COM+ access denied error only if I was not a member of COM+ Administrator role. But you say this USAR_InTrustAgent is. Maybe COM+ configuration is not fresh? Try to restart COM+ System Application on the host with MonConsole, via services snapin or via command line "net stop comsysapp"/"net start comsysapp" and then create profile again. Also please provide the list of COM+ Applications from Component Services | Computers | My Computer | COM+ Applications node. Are there any Dell/Quest apps?
  • Igor:

    Attached is the screen shot of the COM+ Applications node. As for the COM+ Application service, it was restarted and the same users are in the administrator role for System Application. Please advise.

     

    Thanks,

    Nicole

  • Also,

    Can you tell me how IIS should be set up for authentication for the monitoring console as well or direct me to documentation on where to find the configuration/

    Thanks,
    Nicole
  • Thank you Nicole,

    The authentication required by Mon Console is Windows Authentication.

    Some additional questions.

    1. I see the Dell Alerting Profile there. When it was created and did you use it successfully before? If yes, what happened in between? Did you upgrade?
    2. Is Mon Console installed together with InTrust Server or on separate machine?
    3. Is this USAR_InTrustAgent account a member of local Administrators group? Domain Admins Group?
    4. Is this USAR_InTrustAgent account also used as InTrust Server services account?
    5. What is your policy with MS updates and in particular do you have installed updates mentioned here:

    support.quest.com/.../real-time-collections-not-working-after-installing-kb4056890-windows-server-2016-kb4056898-windows-server-2012-r2-or-kb4056899-windows-2012-

    Thanks.

  • Igor:

    1.  I see the Dell Alerting Profile there. When it was created and did you use it successfully before? If yes, what happened in between? Did you upgrade? The default profile was there before and working as normal. I upgraded from 11.0 to 11.1 to 11.3.

    2.   Is Mon Console installed together with InTrust Server or on separate machine? Mon console is installed on the same server as Intrust Man, however I do have Intrust Man installed on more than 1 of the Intrust servers (if that even matters)

    3. Is this USAR_InTrustAgent account a member of local Administrators group? Domain Admins Group? USAR_IntrustAgent is a member of the local admin group and is an enterprise admin. It is not a domain admin.

    4. Is this USAR_InTrustAgent account also used as InTrust Server services account? USAR_IntrustAgent is used for the service account as well as everything else for Intrust.

    5.    What is your policy with MS updates and in particular do you have installed updates mentioned here: Our policy is based on Critical monthly patches. We have an organization that determines what patches are to be applied to our systems. KB4056898 (Windows Server 2012 R2) was installed on 2/23/2018. We were experiencing this issue before that patch was installed.

    Please advise. I greatly appreciate all feedback thus far.

    Thanks,

    Nicole

  • Hi Nicole.

    Thank you.
    When I mentioned the updates I meant this KB4056898 was harmful to some functionality in our product, so we recommend to install KB4057401on top asap.
    Let's continue: you logon with this USAR_IntrustAgent user on some desktop machine and you're using a browser to connect to the server where InTrust Monitoring Console is installed, is this right? You said "you're not allowed to use IE on the server itself". Is it possible to ask you or admins to create the empty COM+ application on this Server for testing purposes? Like this: logon under USAR_IntrustAgent account on the Server where Mon Console is installed, run Component Services | Computers | My Computer | COM+ Applications, right click, New -> Application -> "Create an empty application", and then finish the wizard with default settings? If the result is success, then account has enough rights indeed.