Local check under different user

CMK version: 2.0.0p20
OS version: Windows Server 2019

Hello all,
I would like to create a local script under Windows, which evaluates the MS Exchange Queue. This is done with a Powershell script and works under my admin account.
When I place the script in C:\ProgramData\checkmk\agent\local, it is executed under the user “nt-autority\system” who has no permissions to read the Exchange Queue.
How can I have the checkmk agent execute the script with other user rights in the raw edition?

Thank you very much,
Dom

I’m still facing the problem, any solutions?

Problem: Local checkmk has no permission for exchange transport queue. So the check has no result. How can I monitor the MS Exchange transport queue with checkmk?
This is the skript which give the needed result, when I start it with my user, but no result when checkmk run it.

#Aufbauen einer Verbindung zum Exchange
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$env:computername.berlin.rosaluxemburgstiftung.de/PowerShell/ -Authentication Kerberos
$Null=Import-PSSession $Session -DisableNameChecking -AllowClobber
Clear-Host

#Auslesen der Warteschlangen
$Queue = Get-Queue | Select Identity, DeliveryType, MessageCount 

#Ergebnis fuer CheckMK lesbar machen
foreach ($Line in $Queue) {
    $Type = $Line.DeliveryType
    $Count = $Line.MessageCount
    $Identity = $Line.Identity
    write-host P "Message_Queue_$Type" "Mails=$Count;100;200" $Count Mails in der Warteschlange.
}

#Verbindung zum Exchange schließen
Remove-PSSession $Session

Best regards,
Dom

You just enable the rule that allows you to execute the PS as another user, " [Run plugins and local checks using non-system account"

Thanks for the answer. Unfortunately, I am not getting anywhere.

The PowerShell script is located under “C:\ProgramData\checkmk\agent\local\whoami.ps1”.
I have customized the check_mk.user.yml under: “C:\ProgramData\checkmk\agent\check_mk.user.yml”

I made the following adjustments under the “local” section in the check_mk.user.yml:

local:
    enabled: yes

    # max_wait: 60 # max timeout for each sync plugin. Agen will not collect data from plugins longer than max_wait time.
                   # this is useful to stop badly written or hanging plugins   


    # async_start: true # start plugins asynchronously, this is normal mode. 

    # patterns are scanned from top to bottom, 
    # configuration is assigned to the first file found that matches the pattern 
    Execution:
        #- pattern : 'C:\ProgramData\checkmk\agent\local\\nav_jobqueue.ps1' # plugin name or absolute path . * and ? are allowed
        # user : 'admnavision 1Admin4nav' # username (domain is allowed) and password separated by a space
        # run : yes # run this plugin if plugin found
          
        - pattern : 'whoami.ps1' # plugin name or absolute path . * and ? are allowed
          user : 'Testuser Testpassword' # username (domain is allowed) and password separated by a space
          run : yes # run this plugin if plugin found
          
        - pattern : 'test_me.bat' # plugin name. * and ? are allowed
          #async: no # default is no
          timeout : 35 # after 35 seconds the process will be terminated, default is 60 in check_mk.yml
          run : yes # run this plugin.

        - pattern : '*.*' # in the user folder. DO NOT REMOVE THIS ENTRY
          run : yes # do not execute files matching this pattern

But the output is still made by “NT-AUTORITÄT\SYSTEM” instead of “Testuser”.

Have I made a mistake somewhere?

Thanks for helping,
Dom

did you try an absolute path? Not using the community edition so not sure how to moody yml files

Yes, I have tried various possibilities

# ProgramData/checkmk/agent/local folder
local:
    enabled: yes
    execution:
         - pattern     : 'C:\ProgramData\checkmk\agent\plugins\whoami.ps1'    # Plugin name or absolute path . * and ? are allowed
           user       : 'Testuser Testpassword' # user name(domain is allowed) and password separated with one space
           run         : yes                 # execute this plugin if plugin found
         - pattern     : 'C:\\ProgramData\\checkmk\\agent\\plugins\\whoami2.ps1'    # Plugin name or absolute path . * and ? are allowed
           user       : 'Testuser Testpassword' # user name(domain is allowed) and password separated with one space
           run         : yes                 # execute this plugin if plugin found
         - pattern     : 'whoami3.ps1'    # Plugin name or absolute path . * and ? are allowed
           user       : 'Testuser Testpassword' # user name(domain is allowed) and password separated with one 
           

But all of them return NT-AUTORITÄT\SYSTEM. It’s like it doesn’t matter if I make any changes to the check_mk.user.yml.
But I really need this option, otherwise I can’t monitor important services.

Best,
Dominic

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.