Monday, May 31, 2010

SCOM: Get-UserRole Group Scope (PowerShell)

Recently I wanted to document all the User Roles from a specific Management Group with their Group Scope and Views. Because their is no UI to see this quickly, besides scrolling through a list of disabled and enabled groups, I created this script.

SCOM PowerShell script for listing a User Role with it's Group Scope.
It returns all non-system* User Roles with a (sorted) list of groups from the Group Scope.
Stay tuned because i'm working on the 'Views' part.

Get-UserRole | Sort-Object DisplayName | foreach {If($_.IsSystem -ne $true){Write-Host "--" $_.DisplayName "--";If($_.Scope.MonitoringClasses -ne $null){$_.Scope.MonitoringClasses | foreach {Get-MonitoringClass -Id $_} | Sort-Object DisplayName | foreach {Write-Host "  "$_.displayName}}else{$_.Scope.MonitoringObjects | foreach {Get-MonitoringObject -Id $_} | Sort-Object DisplayName | foreach {Write-Host "  "$_.displayName}}}}
For better readability:
Get-UserRole | Sort-Object DisplayName | foreach { 
  If($_.IsSystem -ne $true)
    Write-Host "--" $_.DisplayName "--"
    If($_.Scope.MonitoringClasses -ne $null){
      $_.Scope.MonitoringClasses | foreach {Get-MonitoringClass -Id $_} | Sort-Object DisplayName | foreach {Write-Host "  "$_.displayName}
    } else {
      $_.Scope.MonitoringObjects | foreach {Get-MonitoringObject -Id $_} | Sort-Object DisplayName | foreach {Write-Host "  "$_.displayName}
For SCOM 2012
#SCOM 2012
Get-SCOMUserRole | Sort-Object DisplayName | foreach { 
  If($_.IsSystem -ne $true)
    Write-Host "--" $_.DisplayName "--"
    If($_.Scope.Objects -ne $null){
      $_.Scope.Objects | foreach {Get-SCOMClass -Id $_} | Sort-Object DisplayName | foreach {Write-Host "  "$_.displayName}
    If ($_.Scope.Classes -ne $null) {
      $_.Scope.Classes | foreach {Get-SCOMClass -Id $_ -Id $_} | Sort-Object DisplayName | foreach {Write-Host "  "$_.displayName}

* = These roles are specified as System Roles:
Operations Manager Administrators
Operations Manager Advanced Operators
Operations Manager Authors
Operations Manager Operators
Operations Manager Read-Only Operators
Operations Manager Report Security Administrators

For exporting and importing complete user roles, see

5 reacties:

OdgeUK said...

Can this be easily modified for the System Roles? I want to export all the Groups in the Groups Scope for each of my accounts under 'Operations Manager Operators'. This way I can easily see which SCOM groups each group can currently see.

Michiel Wouters said...

@OdgeUK. The System Roles are created during setup. Those User Roles are (globally) scoped to all groups and that can't be changed. You probably want to list all your User Roles with a 'Operators' profile and a custom scope.

You could filter that at the beginning of the script. I don't have a 2007 environment at my disposal so I only know that this works with the code below for 2012:

Get-SCOMUserrole | Where { $_.ProfileDisplayName -eq "Operator"} | ....

To see what your options are with 2007:
Get-UserRole | ? { $_.DisplayName -match "YourUserRoleDisplayName" } | gm

OdgeUK said...

Thanks for the reply! Yes, I'm looking to export all Custom User Roles (in my case, those created under 'Operators'), and return the Group Scope (which is custom for all of these). Views would be nice too! The problem I am having is that the script errors at:

$_.Scope.MonitoringObjects | foreach {Get-SCOMMonitoringObject -Id $_}

"GetScomClassIntance : Cannot validate argument on parameter 'Id'. The argument is null or empty."

If I just run Get-SCOMUserrole | Where { $_.ProfileDisplayName -eq "Operator"}


Get-SCOMUserRole | Sort-Object DisplayName

It does return relevant User Roles from the system.


Michiel Wouters said...

@OdgeUK. I wrote the script for SCOM 2007. Just added the SCOM 2012 version.

OdgeUK said...

So that's basically awesome. Thank you so much. Please let me know if you do one that captures the Views too. Amazing. Thanks again!

Post a Comment