Passing Run As credentials to a monitoring script with the PowerShell Community Management Pack

A question recently came up on a SCOM forum about how to pass an API key, stored as a Run As Account credential, to a PowerShell script.

I'd always suggest Visual Studio / Visual Studio Authoring extensions as the way to go: it enables the creation of appropriate classes and discoveries as well as a sealed management pack to prevent anyone tampering with the code. However, this approach has a very steep learning curve.

Another option is to use the PowerShell Community Management Pack, available from here.

Let's go

The blog aims to show how to get the information into your script so I won't go into the details of using the API key in a query. Instead, I'll just retrieve the API key (Run As account credentials) and output the API Key to the Operations Manager event log and an alert description. This isn't something you'd want to do in practice. But what I'll describe will be sufficient to verify that the correct API Key is being returned.

Create the Run As profile

In the SCOM console, in Administration > Run As Configuration > Profiles , create a Run As Profile in a Management Pack that you want to use for monitoring.

We haven't created the Run As Account yet so after the above window, click Next and then Create (don't associate the Run As Profile with a Run As Account yet).

Export the Management Pack

We need to find out the ID of the Run As Profile that I created above, so I need to export the Management Pack and look at the XML. Find the line and copy it as we’ll use this as an input parameter to our script later.

RunAsProfile_GUID E.g. RunAsProfile_aa5e1d588c994dcdb77395d954b3f40d

Create the monitor

In the SCOM Console, on the Authoring tab, go to Authoring > Management Pack Objects > Monitors and create a new Unit Monitor.

Then drill down to find Scripting > PowerShell Based > PowerShell Script Two State Monitor (Community).

Make sure the destination management pack is the same management pack that we created the Run As profile in.

Give the script a name and target it at the correct class. I have chosen Windows Server 2016 and above operating system but ideally we would have a more specific class to target the script against (an advantage of using Visual Studio).

I have created the monitor disabled and will enable for a specific instance of Windows Server 2016 and above operating system later.

For testing, I have set the schedule to every minute but remember to set this more appropriately for a Production environment.

Then we have our script. The script will:

• Receive the API Key as an input parameter.
• It will generate an alert if the API Key is longer than 4 characters.
• It will output the API Key to:
  • The alert description.
  • The Operations Manager event log.

As I mentioned at the beginning of the blog, the aim is to show how to get the API Key into the PowerShell script. After that, it is up to you what you do with it.

# Any Arguments specified will be sent to the script as a single string.
# If you need to send multiple values, delimit them with a space, semicolon or other separator and then use split.
param([string]$Arguments)
$ScomAPI = New-Object -comObject "MOM.ScriptAPI"
$PropertyBag = $ScomAPI.CreatePropertyBag()
# Example of use below, in this case return the length of the string passed in and we'll set health state based on that.
# Since the health state comparison is string based in this template we'll need to create a state value and return it.
# Ensure you return a unique value per health state (e.g. a service status), or a unique combination of values.
$PropertyBag.AddValue("MessageText",$Arguments)
$PropertyBag.AddValue("Length",$Arguments.length)   
if($Arguments.length -gt 4) {
  $PropertyBag.AddValue("State","OverThreshold")
}
else
{
  $PropertyBag.AddValue("State","UnderThreshold")
}
$ScomAPI.LogScriptEvent($ScriptName,1235,0,"`nScript parameters passed into datasource is the API Key. `nAPIKey: ($Arguments)")
$PropertyBag.AddValue("MyAPIKey",$Arguments)
# Send output to SCOM
$PropertyBag

On the script window, click on parameters and enter the Run As profile that you created in the first step. For me; it would be as follows:

$RunAs[Name="RunAsProfile_aa5e1d588c994dcdb77395d954b3f40d"]/Password$

For the Unhealthy Expression:

For the Healthy Expression:

For the Health:

For the alert:

The API Key is $Data/Context/Property[@Name='MyAPIKey']$

Create Run As account and distribute to the targets.

If you've got this far then I'm going to assume that you know how to create a Run As account, associate it with a Run As Profile and distribute it to the target servers but I'll add some screenshots for completeness.

Run As Account - General Properties

Run As Account credentials

Run As Account - distribution

Enable the monitor for the target servers.

Don't forget that we created the monitor disabled so head back into the SCOM console and set an override to enable the monitor for the target servers.

The result

The credentials that I entered into the Run As Account are in the SCOM alert:

And also in the Operations Manager event log:

Please don't go around displaying your API keys in this manner! But you should now be able to pass Run As Account credentials into a PowerShell monitor in SCOM using the PowerShell Community Management Pack.