Jump to content


Sanchez

Reporting Permissions and Empty Software Reports

Recommended Posts

Hi.

I recently set up a new Configuration Manager 1806 environment (now upgraded to 1810). Its SQL database is on a named instance, on a failover cluster, and Reporting Services is installed on one of its nodes (I know that SSRS is not cluster-aware).

The site appears to be mostly fine, but reporting has always seemed a little off. Firstly, while most of the reports work as expected, some of the reports in the "Software - Companies and Products" folder, either produce no results, or only one result. I've read on lots of forums that you shouldn't use reports generated from software inventory, and should stick with hardware inventory, but some of those reports are very useful, and it's a new setup, so I want it to work properly.

Secondly, when I go to the reports web site and look at the folders' permissions, it just says "BUILTIN\Administrators", and people who should have access to view those reports, don't seem to. They just get an error saying "You are not allowed to view this folder. Contact your administrator to obtain the necessary permissions.". These are people I've added to the "Read-only Analyst" security role, for example.

srsrp.log keeps saying this, and I don't know if it's related:

(!) Error retrieving folders - [Cannot open database "CM_MA1" requested by the login. The login failed.~~Login failed for user 'NT AUTHORITY\SYSTEM'.].

The SQL instance is using Windows authentication only.

Any help would be greatly appreciated.


Thanks.

Share this post


Link to post
Share on other sites


ok I will bite, Which of the SW inventory reports is useful? You can never know for sure that you are getting full true results with them. 

Your site server requires full permissions (SA and local Admin) to SQL/SSRS . The error says it doesn't have SA rights. This blog will help you fix that.

https://www.enhansoft.com/updated-how-to-create-a-sql-server-computer-account-login/

 

 

Share this post


Link to post
Share on other sites

Thank you very much!

Sorry for the delay; I'd been having trouble logging in!

I tend to use "Computers with a specific product" and "Computers with a specific product name and version" quite a lot. I suppose I could just use "Computers with specific software registered in Add Remove Programs", but it's useful to be able to narrow it down by version, and at the end of the day, having issues on a new environment makes me wonder what else might be wrong with it, so I'd rather fix any problems I come across. And it used to work on the old (2012 R2) site, so it should work on the new one.

As for the SQL stuff, the site server is actually already a sysadmin on the instance (as explained in your link). It doesn't show up in the "Users" folder for the ReportServer database, but that's how the old (2012 R2) one was, and that one works just fine.

I've run SSMS as suggested in your post (from the site server, running as "NT AUTHORITY\SYSTEM", using PsExec), and that all seems fine. I can successfully query both the SCCM and ReportServer databases.

So I'm not sure what's going on. Any other suggestions?

Share this post


Link to post
Share on other sites

You can get the version number from ARP reports too. 

SW Inv is NOT configured when you first setup CMCB. until it is configured, it will never return anything. aka blank reports. 

 

 

Share this post


Link to post
Share on other sites

Indeed. As far as I know, I've configured everything required for those reports to work. I suppose I could stick to ARP reports, as you say. I just don't like to leave anything in less than 100% health.

Thanks a lot for your advice, Garth.

I tried giving NT AUTHORITY/SYSTEM the sysadmin role on the SCCM database, and that seemed to get everything working. But I haven't seen that in any of the documentation or guides I've read, which makes me think that something's just not right. And I've also seen it suggested that it's not good from a security standpoint, so I don't want to leave it like that. There's definitely something wrong with my setup, so it would be good to get to the bottom of it.

Share this post


Link to post
Share on other sites

Did you configure SW inv? if so exactly what did you configure? aka why do you think it is unhealthy? 

Share this post


Link to post
Share on other sites

Yup, I just configured it to inventory .exe on all client hard disks, including subfolders, excluding "Windows,Compressed".

And I think it's unhealthy because on our old 2012 R2 site (which is still active, but has no clients), those same reports produce hundreds of records. As far as I can tell, they're both (the 1810 site and 2012 R2 site) configured the same, as far as SW inventory goes, but the new one produces just one record. And in addition, as I alluded to previously, when I gave NT AUTHORITY\SYSTEM the sysadmin role on the (1810) site database, that report suddenly starting showing lots of records. So I think that somewhere, the permissions are wrong.

Besides that, there's the fact that users aren't getting access to reports, as I believe they should.


Thanks.

Share this post


Link to post
Share on other sites

Thanks for that, Garth. I was aware of the issues around software inventory, but I think your posts have finally persuaded me to turn it off. However, before I do that, I want to figure out why these tables aren't being populated, and why the permissions seem screwy.

I agree that inventorying .exe is rather excessive, but I was trying to mirror the settings on the old server (set up long before my time), which was working perfectly well.

Oh and sorry for the misunderstanding; I didn't mean I'd configured it just now. I meant "simply". It's been like that since about October last year.

Anyway I'm thinking more and more that this is a fault, and not that I've mis-configured something, so I'm going to try re-installing the reporting point, to see if that fixes it. After that, it's a call to Microsoft.

Thanks for your help!

Share this post


Link to post
Share on other sites

It will not be a permissions issue for SW inv., why because if HW inventory is working then SW inv will work too.

So this thread started with SSRS problem and has move the SW inv. so is the SSRS problem fixed? for SW inv, have you confirmed that it is actually being inventoried on a client computer? 

 

 

 

Share this post


Link to post
Share on other sites

Well, I wanted to double-check my previous experiment, so again, I mapped "NT AUTHORITY\SYSTEM" to the SCCM database, and gave it db_owner role membership. The permissions on the reports now look fine, and users can access them as expected.

But I don't see this as a solution, as doing this isn't mentioned in any documentation or guides, so there must be an underlying problem. And I've also read that it's not a good idea, from a security standpoint.

As for SW inv, I've traced it through all the logs I know of, and it seems to be going through the steps it's supposed to, without errors. But the reports are still empty, including the "All inventoried files..." ones.

 

Thanks.

 

Share this post


Link to post
Share on other sites

It is document in the CM docs that your site server must be SA within SQL/SSRS. So I don't see this as a problem or issue.

Again, it is unclear if you have actually configured SW inventory. Post a screenshot. 

Again, it is not recommended that SW inv be used and there is no guarantee that it will return results, lots to read here  https://www.enhansoft.com/?s=software+inventory

 

 

Share this post


Link to post
Share on other sites

Yes, thanks Garth; I've read all that, and am taking it into account.

As mentioned, I also followed your guide here: https://www.enhansoft.com/updated-how-to-create-a-sql-server-computer-account-login/, and it was already configured like that:

image.png.68128db6f2675a5ef06825ccade4f0c8.png

I ran the test as you described, and it was successful (the below test was performed on the site server):

image.png.8b6032c4427e1825f73c9b8733d4848c.png

As far as I understand, it's not the site server's account that's having a problem. NT AUTHORITY\SYSTEM is the local system account on the (separate) SQL server, isn't it? If it were the site server, the errors would show as <computer name>$, wouldn't they?

 

 

Share this post


Link to post
Share on other sites

First off in AI I would turn ON USB and turn OFF Shortcuts, in any case these have nothing to do with SW inventory. 

Second, I would review the InventoryAgent.log on any computer to confirm that  SW inventory is working. look for the text {00000000-0000-0000-0000-000000000002}. Personally, I would turn off SW inventory altogether as it is useless.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...