Update Sep 27 2012

bug fix in PS script. An issue showed up using the script on a Windows 2012 server. The script failed to remove an entry
from the two local user groups due to case sensitivity regarding the VM name.

 

Status Quo 

 

I published a blog beginning of the year which describes what to do to enable SAP “Enhanced Monitoring” without
the need to give admin permissions to virtual machines :

http://blogs.msdn.com/b/saponsqlserver/archive/2012/01/16/sap-enhanced-monitoring-on-hyper-v.aspx

In addition the whole topic is described in SAP note 1409604

 

Issue

 

The blog mentioned above describes all the steps which are necessary to enable SAP "enhanced monitoring". But
it is a lot of "clicking" which also holds the risk to make mistakes. And admins who like to automate things won't be
happy about the process no matter how well it is described

 

Solution

 


I put together a little Powershell script which does all the necessary security settings to enable SAP "enhanced
monitoring". It handles all necessary security entries on the Hyper-V host in the three areas which are required :

1. local "Performance Monitor Users" group as well as the "Distributed COM Users" group

2. WMI Control security

3. Authorization Manager ( azman.msc )


The script attached is not an official Microsoft product. There is no support. Take it as it is. Focus was NOT on
programming style or performance. Main goal was to make it robust and hopefully easy-to-use. Another goal
was to avoid loading additional modules - just basic Powershell if possible.
It was tested by a colleague from SAP development as well as a few first customers.

Keep in mind that in case of a Hyper-V cluster the script has to be started on every node on which a SAP VM
might wake up. This means that on a 8-node Hyper-V cluster one has to run the script eight times.

In case someone will find a critical bug or has suggestions how to further improve the script - let me know.
While there is no official Microsoft support I am still open to make some changes.

To use the script just download the attached text file, rename it as you like and change the extension to .ps1

 


Walkthrough

The following section will describe how to use the Powershell script :

Figure 1 : SAP enhanced monitoring on Hyper-V won’t work out-of-the-box. A simple way to check
                is by calling transaction ST06 and select “Expert View”. The line of “CPU Virtualization
                Host” will not show any details


Figure 2 : clicking on “Processor” in the “CPU Virtualization Host” line as seen on Figure 1 will very
                 likely cause an error

 

Figure 3 : once the permissions for the VM ( out of which SAP Enhanced Monitoring will be used )
                are set correctly on the Hyper-V host ST06 will show the details about the host CPUs

 

 

Figure 4 : just type in the Powershell script name and press RETURN. An error will be reported and 
                the correct syntax will be shown

 



Figure 5 : the easiest usage is adding the corresponding permissions for a specific virtual machine.
                 Use the option “add”, tell the domain and the name of the virtual machine. The script will
                 display messages about what it did. As long as there are no errors everything will be ok

 

Figure 6 : adding a VM name the very first time will automatically add a SAP specific role definition
                to the azman store. If one adds another VM this role definition already exists and the 
                script will tell in form of “Information” messages that certain objects already exist.

 



Figure 7 : use option “remove” to remove the permissions again

 

Figure 8 : to make life easier when working with many VMs one can create a global
                  security group on the domain controller

Figure 9 : once the global security group is created add the virtual machines in which SAP
                  Enhanced Monitoring should be used



Figure 10 : by using the option “-adgrp” it’s possible to use a global AD group as described above
                  instead of a single VM name

 



Figure 11 : when removing a specific VM name or an AD group the script will keep the SAP
                    specific role definition in the azman store. Use the separate option  
                    “remove_azman_role” to get rid of it. In case the script finds existing members
                    it will ask if the role definition should be really deleted as all member entries will
                    be gone



Figure 12 : if one will repeat an “add” operation the script will just report “Information”
                    messages as everything exists already



Figure 13 : the same is valid for operation “remove”. Repeating the same remove call
                    again will result in Information messages reporting that the entries don’t exist
                    anymore



Figure 14 : as described in SAP note 1409604 there was an “easy” way to enable enhanced 
                    monitoring in the past by simply giving a VM admin permissions.
                    In case there are entries using this old method the script is able to assist in
                    migrating these entries. It will provide a list of entries which are very likely
                    candidates for SAP enhanced monitoring. The user is then allowed to pick the
                    ones which should be migrated




Figure 15 : to be on the safe side the script will show the selected list of entries again which
                    should be migrated

 




Figure 16 : finally the script will migrate the entries which the user selected. These entries will be
                  removed from the administrators  group and all the appropriate entries as described 
                  above will be done. It works exactly the same way with all the Information messages
                  in case the entries should already exist