Thursday, April 25, 2024

Connect Scom powershell using SDK

 The SDK binaries are stored in the following folder on the SCOM MS

C:\Program Files\Microsoft System Center\Operations Manager\Server\SDK Binaries

copy the three dll files to your script folder.

Sample script.


$rms= ""
$UserName = "domain\username"
$pwd = "password"

$scriptdir = "C:\Scripts"
 $securePassword = ConvertTo-SecureString $pwd –AsPlainText -Force
$MGConnSetting = New-Object Microsoft.EnterpriseManagement.ManagementGroupConnectionSettings($rms)
$MGConnSetting.UserName = $UserName
$MGConnSetting.Domain = $UserDomain
$MGConnSetting.Password = $SecurePassword
$MG = New-Object Microsoft.EnterpriseManagement.ManagementGroup($MGConnSetting)
if(!$MG) {Write-Host "Cannot work on $rms" -ForegroundColor Yellow;continue;}
Write-host "The Management group is " -nonewline; Write-Host "$MG" -ForegroundColor Yellow



 If you don't use Microsoft.EnterpriseManagement.Runtime.dll binary you will get this error.

New-Object : Exception calling ".ctor" with "1" argument(s): "The service type 'Microsoft.EnterpriseManagement.Runtime.ITaskRuntimeService, Microsoft.EnterpriseManagement.Runtime, Culture="", PublicKeyToken=31bf3856ad364e35,
Version=7.0.5000.0' for the component named 'TaskService' cannot be found."
At line:1 char:1
+ New-Object Microsoft.EnterpriseManagement.ManagementGroup($MGConnSett ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand


Friday, March 22, 2024

Powershell Export-Csv for PSCustomobject which is a list of strings as property.

 example powershell customobject

$myObject = [PSCustomObject]@{
    Name     = 'Parag'
    Language = 'PowerShell'
    State    = 'Washington'

To export this object to csv we can use.

$myobject | Export-csv -path c:\temp\temp.csv -NoClobber -NoTypeInformation

The file will show up like this



But if the properties of the object are a list,i.e I know more than one languages then the file shows up as 



 That is because the command treats the property as an array. You can see the same behavior when you export an array.

To export this data properly we can do this.

$myobject | Select-Object Name,@{n='Language';e={$_.Language -join ' ' }},State

Now in the file we will see



Parag,Powershell JavaScript,Washington

Thursday, July 20, 2023

New-SCOMManagementGroupConnection failing due to insufficient permissions

Error: Could not connect to SCOM zone in another domain using credentials of the same domain. even though bidirectional trust was present.

If the sdk service is running under local system account.


Error during powershell connection to scom zone.


PS C:\> New-SCOMManagementGroupConnection -ComputerName
New-SCOMManagementGroupConnection : The user does not have sufficient permission to perform the operation.
At line:1 char:1
+ New-SCOMManagementGroupConnection -ComputerName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Syste...nnectionCommand:NewSCManagementGroupConnectionComma
   nd) [New-SCManagementGroupConnection], UnauthorizedAccessEnterpriseManagementException
    + FullyQualifiedErrorId : ExecutionError,Microsoft.SystemCenter.Core.Commands.NewSCManagementGroupConnectionComman


Event id 4 generated in System Log.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SCOMMG2$. The target name used was MSOMSdkSvc/ This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (CONSOSO.COM) is different from the client domain (CONTOSO.AL.GOV), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

 Verified that the id had permissions to SCOM zone.

The Scom SDK service was running under local system account. The spn for sdk service was not registered in AD. Verified by setspn -L SCOMMG2.

Event id 26371 generated in Operations manager log.


Date and Time:

7/15/2023 1:15:28 AM

Log Name:

Operations Manager


OpsMgr SDK Service

Event Number:




Logging Computer:




The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/SCOMMG1 and MSOMSdkSvc/ to the servicePrincipalName of CN=SCOMMG1,OU=Server Accounts,OU=Prod,OU=Contoso Servers,DC=-Contoso,DC=COM

Event Data:

< DataItem type =" System.XmlData " time =" 2023-07-15T01:15:28.0000000-05:00 " sourceHealthServiceId =" 2765519A-33B2-441C-F345-0FF0CEB2E109 " >

< EventData >

  < Data > SCOMMG1 </ Data >

  < Data > </ Data >

  < Data > CN=SCOMMG1,OU=Server Accounts,OU=Prod,OU=Contoso Servers,DC=-Contoso,DC=COM </ Data >

  </ EventData >

  </ DataItem >


·         Open ADSIDEDIT. Find the server object open properties  and grant SELF read write access in security tab.

·         Registered spn for the sdk and all management server computer accounts using.

Setspn.exe -S MSOMSdkSvc/SCOMMG1 SCOMMG1

Setspn.exe -S MSOMSdkSvc/SCOMMG2 SCOMMG2


Connection was successful in powershell.




Thursday, May 18, 2023

Powershell exceptions

 To see more details from a powershell command exception.

Enter after you are finished with the command to get more details.

$error[0].Exception | fl * -Force