Recently came across an issue where we were failing to install Opsmgr 2007 SP1 Agent on new network segment. These all seems to be Windows Server 2008 Servers, eventually it turned out to be an issue not specific to 2008 in particular. To narrow down on the cause we collected the verbose MSI log
msiexec /i <momagent.msi> /lvoicewarmup c:\install.log
You probably would see these two events in your event log
Log Name: Application
Date: 2/24/2009 10:33:51 AM
Event ID: 1033
Task Category: None
Description: Windows Installer installed the product. Product Name: System Center Operations Manager 2007 Agent. Product Version: 6.0.6278.0. Product Language: 1033. Installation success or error status: 1603.
Event ID: 11708
Product: System Center Operations Manager 2007 Agent -- Installation operation failed.
MSI (s) (94:DC) [21:50:05:758]: Executing op: ActionStart(Name=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,,)
MSI (s) (94:DC) [21:50:05:758]: Executing op: CustomActionSchedule(Action=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,ActionType=3073,Source=BinaryData,Target=GrantAuditLogAccess,)
MSI (s) (94:10) [21:50:05:774]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIB46.tmp, Entrypoint: GrantAuditLogAccess
1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87
1: ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057
1: GrantAuditLogAccess(): ModifyEventLogAccessForNetworkService() returned 0x00000643.
MSI (s) (94:DC) [21:50:05:805]: User policy value 'DisableRollback' is 0
MSI (s) (94:DC) [21:50:05:805]: Machine policy value 'DisableRollback' is 0
Action ended 21:50:05: InstallFinalize. Return value 3.
So from the log we can see
>>1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87 : Probably it could not read the SecurityDescriptor in the first place
>>> ModifyEventLogAccessForNetworkService(): Could not grant read access to Security Log: 0x00000057
We enumerated the following registry key
Checked the customSD(Security Descriptor) string
Appartently 0x1 indicates read-only, which seems to be the problem to a specific user whose GUID is mentioned
For More Understanding
To construct an SDDL string, note that there are three distinct rights that pertain to event logs:
Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:
2 = Write
4 = Clear
The following is a sample SDDL that shows the default SDDL string for the Application log.
The access rights (in hexadecimal) are bold-faced for illustration:
O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)
The sixth ACE(Access Control Entry) permits Interactive Users to read and write to the log. (A;; 0x3;;;IU)
IU = Interactive Users
0x3 = 0x1(Read) + 0x2(Write)
a) We removed the CustomSD string from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
b) Ran regsvr32 scecli.dll
For better understanding on SDDL refer http://support.microsoft.com/kb/323076
Thank Jeevan! I've been struggling with this issue on random servers for over a month trying to figure out why the SCOM agent will not install! After applying this change, the agent installed successfully! :)
I've never ever figured out this solution. Thank you very much. :)