Page 1 of 1
Running scripts as an active directory domain account?
Posted: Tue Apr 23, 2013 8:54 pm
by douggnz
Hi all. We are implementing and testing Nagios and need to run some Exchange 2010 scripts, but the nagios service is using local system on the target machines. This works for CPU, memory, etc but local service has no rights to Exchange 2010 so Powershell commands do not work.
Is there a document detailing how to get Nagios to run script snipets as a domain user which can be assigned to an AD group for permissions to Exchange? Is it simply a case of setting the NSClient service to run as a domain user?
Re: Running scripts as an active directory domain account?
Posted: Wed Apr 24, 2013 11:38 am
by sreinhardt
Yes the easiest way to make nsclient, as technically nagios is not running the script, run as a different user is to run the service as a user with the applicable rights you need. The other option is to use powershell with alternative credentials, that can be stored in fairly secure files and imported into PS. The first option is by far easier and generally acceptable for most cases.
Re: Running scripts as an active directory domain account?
Posted: Sun Apr 28, 2013 11:18 pm
by douggnz
Thanks, I have been told by the guy looking after Nagios that running the service as a domain account does not work? Is there a configuration step within Nagios that needs to be done?
Re: Running scripts as an active directory domain account?
Posted: Mon Apr 29, 2013 10:36 am
by slansing
No, these are configuration steps that would have to be done to your liking on the windows server, Nagios does not control that end at all, it simply queries NSClient to run a script, NSClient is what controls the who, when and where. This may be something you would want to ask the developer of NSClient++ on their site, as if something did need to be modified to make this work it would have to be on their end:
http://www.nsclient.org/nscp/
Re: Running scripts as an active directory domain account?
Posted: Mon Apr 29, 2013 11:46 am
by yancy
douggnz,
Have you considered adding a "runas" to whatever script you're using?
for example:
http://blogs.technet.com/b/heyscripting ... tials.aspx
Regards,
-Yancy
Re: Running scripts as an active directory domain account?
Posted: Mon Apr 29, 2013 3:35 pm
by douggnz
So how do the majority of people run windows powershell scripts as a certain user? There must be a common method, or is storing the password in the script (be it a secure string or plain text) the only answer?
Re: Running scripts as an active directory domain account?
Posted: Mon Apr 29, 2013 3:46 pm
by yancy
douggnz,
The common syntax for running powershell with NSClient is something like this:
Code: Select all
test_script=cmd /c echo scripts\powershell.ps1 | powershell.exe -command -
I'm not sure what you're referring to in reference to running powershell scripts as a different user. Can you be more specific?
alternatively, it may also be possible to run the nsclientpp service AS a different user. Then all scripts run would simply inherit the user context. Just an idea though.
-Yancy