Scom suppress alert emails if closed < 5 min

[npwiley]

I am new to the board and came across the How To Article: [HOW TO] Make SCOM suppress alert emails if closed < 5 min. This is exactly what I need! However, I am not able to get it to work. My alerts are not being marked with the custom 10 attribute. I copied the PS1 directly from the post and here is the command I run: "E:\Scripts\MarkAlerts.ps1" '$Data/Context/DataItem/AlertId$' Sorry I would contact Sergey.G directly, but being new it will not allow it. I am curious if there is anywhere that an error may be logged that would help me trace down the problem.

I was also unable to add on to the how to post to ask this question so I had to create a new post.

Thanks!
Nick

[sergey.g]

Hi Nick,

No problem - you can ask questions just like that

Could you uncomment the logging section of the script and check if log file is being created? And if it doesn - provide us with the content.

Thanks

[npwiley]

Thanks for the quick reply! I should have thought to do that first I uncommented it and triggered an alert then closed, the log file populated with the following 16-10-29 07:37:35 {19edb998-5d66-4551-944c-c772d21d084f} Thank for the help!

[sergey.g]

Hi,

OK, this means that everything is configured correctly in terms of subsciptions settings. Could you try to run the following:

Code: Select all

get-scomalert | ?{$_.Id -like '19edb998-5d66-4551-944c-c772d21d084f'} | select Resolutionstate, @{n='test';e={(($_.TimeResolved-$_.TimeRaised) -gt '00:05:00')}}, TimeRaised, TimeResolved, CustomField10, Id | sort-object TimeRaised

Need to check if CustomField is there or not, if not this could be an issue of command action account not beeing able to modify alert fields

Thanks.

[npwiley]

Below is what was returned. I currently have LocalSystem set for the Local System Action account. Do I need to change that to make it work? Thanks! Nick

ResolutionState : 255
test : True
TimeRaised : 10/28/2016 8:20:10 PM
TimeResolved : 10/28/2016 8:37:05 PM
CustomField10 :
Id : 19edb998-5d66-4551-944c-c772d21d084f

[sergey.g]

Hi Nick,

Local system may not have the right to modify alerts, so I would try to change it. You can change it by specifying acccount in the notification runas profile, so that action account can be left intact.

Also check that your subscriber that is specified in the command scubscription (the one that is executing the script) has an address specified for the command channel (sometimes this could be the root cause, I might need to add it to the howto text)

[npwiley]

Looking at https://technet.microsoft.com/en-us/lib ... c.12).aspx it looks like even if a runas account is set for the notification action account, the Local System is always used. So this would lead me to believe I need to modify the rights of alerts and add Local System in. Do you know would that be done on DB level or in SCOM?

Yes I did dig into the subscription and made sure command channel was set.

[sergey.g]

Hi,

Thanks a lot for some detailed researh there, I appreciate it

Well, BUILTIN\Administrators are already in the SCOM administrators, but it allows you to add only domains accounts there. I'm not sure if it means we need to add domain\computername$ account into SCOM admins, I remember the howto solution working just like it's written, so I wonder which part doesn't work for you.

Could you try to analyze Operations Manger logs for possible clues about which permission is being used?

I guess we can modify a script to execute SCOM commands under different account, so we'll figure out a solution for you anyway, don't worry

Thanks.

[npwiley]

The SCOM environment that I was trying to get this running on was not setup by me, so I decided to try getting it setup in the environment I built. Low and behold it worked. Interesting note, once the script is run actually said the alerts were last modified by my Action Account, even though I do not have a account set for My Notification Account profile. When looking at the security log on the environment that was not working, I saw failures related to token elevation. This may or may not be the issue. One of the standout difference between the servers is that UAC is turned off on the working server. This could very likely be the culprit I would think. With you previous setups have you been able to get this to run with UAC?

[sergey.g]

Hi Nick,

We never tested specifically for UAC-enabled scenario, so it could be the root cause. Regarding account - that was my experience too - I saw default action account making changes to the alerts, so maybe we can just add this default action to the SCOM admins?

Thanks.

[npwiley]

Sergey,

Thanks for all the help. I might try adding the action account to scom admins and see if that works. My gut tells me it's UAC that is blocking it. Now that I have it working on my other environment though, I am pretty happy! Appreciate all of yout help! I will let you know when I get around to do some testing.

Thanks!
Nick