Hi all. We are implementing and testing Nagios and need to run some Exchange 2010 scripts, but the nagios service is using local system on the target machines. This works for CPU, memory, etc but local service has no rights to Exchange 2010 so Powershell commands do not work.
Is there a document detailing how to get Nagios to run script snipets as a domain user which can be assigned to an AD group for permissions to Exchange? Is it simply a case of setting the NSClient service to run as a domain user?
Running scripts as an active directory domain account?
-
sreinhardt
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: Running scripts as an active directory domain account?
Yes the easiest way to make nsclient, as technically nagios is not running the script, run as a different user is to run the service as a user with the applicable rights you need. The other option is to use powershell with alternative credentials, that can be stored in fairly secure files and imported into PS. The first option is by far easier and generally acceptable for most cases.
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
Re: Running scripts as an active directory domain account?
Thanks, I have been told by the guy looking after Nagios that running the service as a domain account does not work? Is there a configuration step within Nagios that needs to be done?
-
slansing
- Posts: 7698
- Joined: Mon Apr 23, 2012 4:28 pm
- Location: Travelling through time and space...
Re: Running scripts as an active directory domain account?
No, these are configuration steps that would have to be done to your liking on the windows server, Nagios does not control that end at all, it simply queries NSClient to run a script, NSClient is what controls the who, when and where. This may be something you would want to ask the developer of NSClient++ on their site, as if something did need to be modified to make this work it would have to be on their end:
http://www.nsclient.org/nscp/
http://www.nsclient.org/nscp/
Re: Running scripts as an active directory domain account?
douggnz,
Have you considered adding a "runas" to whatever script you're using?
for example:
http://blogs.technet.com/b/heyscripting ... tials.aspx
Regards,
-Yancy
Have you considered adding a "runas" to whatever script you're using?
for example:
http://blogs.technet.com/b/heyscripting ... tials.aspx
Regards,
-Yancy
Re: Running scripts as an active directory domain account?
So how do the majority of people run windows powershell scripts as a certain user? There must be a common method, or is storing the password in the script (be it a secure string or plain text) the only answer?
Re: Running scripts as an active directory domain account?
douggnz,
The common syntax for running powershell with NSClient is something like this:
I'm not sure what you're referring to in reference to running powershell scripts as a different user. Can you be more specific?
alternatively, it may also be possible to run the nsclientpp service AS a different user. Then all scripts run would simply inherit the user context. Just an idea though.
-Yancy
The common syntax for running powershell with NSClient is something like this:
Code: Select all
test_script=cmd /c echo scripts\powershell.ps1 | powershell.exe -command -alternatively, it may also be possible to run the nsclientpp service AS a different user. Then all scripts run would simply inherit the user context. Just an idea though.
-Yancy