This Blog provides information about running SAP Applications on the Microsoft Platform. The Blog is written by people who are working with SAP on the Microsoft Platform for decades.
bug fix in PS script. An issue showed up using the script on a Windows 2012 server. The script failed to remove an entry from the two local user groups due to case sensitivity regarding the VM name.
I published a blog beginning of the year which describes what to do to enable SAP “Enhanced Monitoring” without the need to give admin permissions to virtual machines :
In addition the whole topic is described in SAP note 1409604
The blog mentioned above describes all the steps which are necessary to enable SAP "enhanced monitoring". Butit is a lot of "clicking" which also holds the risk to make mistakes. And admins who like to automate things won't behappy about the process no matter how well it is described
I put together a little Powershell script which does all the necessary security settings to enable SAP "enhanced monitoring". It handles all necessary security entries on the Hyper-V host in the three areas which are required :1. local "Performance Monitor Users" group as well as the "Distributed COM Users" group2. WMI Control security
3. Authorization Manager ( azman.msc )
The script attached is not an official Microsoft product. There is no support. Take it as it is. Focus was NOT onprogramming style or performance. Main goal was to make it robust and hopefully easy-to-use. Another goalwas to avoid loading additional modules - just basic Powershell if possible.It was tested by a colleague from SAP development as well as a few first customers. Keep in mind that in case of a Hyper-V cluster the script has to be started on every node on which a SAP VM might wake up. This means that on a 8-node Hyper-V cluster one has to run the script eight times.In case someone will find a critical bug or has suggestions how to further improve the script - let me know. While there is no official Microsoft support I am still open to make some changes.To use the script just download the attached text file, rename it as you like and change the extension to .ps1
The following section will describe how to use the Powershell script :
Figure 1 : SAP enhanced monitoring on Hyper-V won’t work out-of-the-box. A simple way to check is by calling transaction ST06 and select “Expert View”. The line of “CPU Virtualization Host” will not show any details
Figure 2 : clicking on “Processor” in the “CPU Virtualization Host” line as seen on Figure 1 will very likely cause an error
Figure 3 : once the permissions for the VM ( out of which SAP Enhanced Monitoring will be used ) are set correctly on the Hyper-V host ST06 will show the details about the host CPUs
Figure 4 : just type in the Powershell script name and press RETURN. An error will be reported and the correct syntax will be shown
Figure 5 : the easiest usage is adding the corresponding permissions for a specific virtual machine. Use the option “add”, tell the domain and the name of the virtual machine. The script will display messages about what it did. As long as there are no errors everything will be ok
Figure 6 : adding a VM name the very first time will automatically add a SAP specific role definition to the azman store. If one adds another VM this role definition already exists and the script will tell in form of “Information” messages that certain objects already exist.
Figure 7 : use option “remove” to remove the permissions again
Figure 8 : to make life easier when working with many VMs one can create a global security group on the domain controller
Figure 9 : once the global security group is created add the virtual machines in which SAP Enhanced Monitoring should be used
Figure 10 : by using the option “-adgrp” it’s possible to use a global AD group as described above instead of a single VM name
Figure 11 : when removing a specific VM name or an AD group the script will keep the SAP specific role definition in the azman store. Use the separate option “remove_azman_role” to get rid of it. In case the script finds existing members it will ask if the role definition should be really deleted as all member entries will be gone
Figure 12 : if one will repeat an “add” operation the script will just report “Information” messages as everything exists already
Figure 13 : the same is valid for operation “remove”. Repeating the same remove call again will result in Information messages reporting that the entries don’t exist anymoreFigure 14 : as described in SAP note 1409604 there was an “easy” way to enable enhanced monitoring in the past by simply giving a VM admin permissions. In case there are entries using this old method the script is able to assist in migrating these entries. It will provide a list of entries which are very likely candidates for SAP enhanced monitoring. The user is then allowed to pick the ones which should be migratedFigure 15 : to be on the safe side the script will show the selected list of entries again which should be migrated
Figure 16 : finally the script will migrate the entries which the user selected. These entries will be removed from the administrators group and all the appropriate entries as described above will be done. It works exactly the same way with all the Information messages in case the entries should already exist