Submit a ticketCall us

AnnouncementsChange Is Inevitable

Get valuable help when it comes to tracking and monitoring changes. SolarWinds® Server Configuration Monitor (SCM) is designed to help you: detect, track, and receive alerts when changes occur, correlate system performance against configuration changes, compare server and application configuration against custom baselines, and verify application and system changes.

Learn more.

Home > Success Center > Orion Platform > Orion - Knowledgebase Articles > Check permissions using the Orion Permission Checker

Check permissions using the Orion Permission Checker

Updated October 09, 2018

Overview

The Orion Permission Checker checks key locations on the Orion server to ensure all file system permissions are set correctly. It also repairs locations, providing proper access to the Orion server.

 

SolarWinds recommends using a local server administrator account. When NPM is installed using a domain account that has restricted Group Policy settings, the logs can reflect that a service cannot access or write a file.  You will also see a note inside the configurationwizard.log file advising that domain accounts are not supported with this tool. You can always disable or remove the local server administrator account after making the changes. The process takes 5 minutes to set up.

Environment

NPM version 10.4 and later

Steps

The Repair button, next to the check button, can perform a repair, but when the domain Group Policy settings are restricted, a manual repair is required. This would be a common routine for locked down / hardened environments where the domain environment and group policies can cause conflict issues with the software changes.

Test the Orion permissions using the Orion Permission Checker

  1. Go to C:\Program Files (x86)\SolarWinds\Orion\ (or whichever directory Orion was installed in).
    PermissionCheckerLocation.png
  2. Right-click the Orion Permission Checker application and select Run as Administrator.
  3. Click Check.
    PermissionCheckerRun.png
  4. If any row shows FAILED as the Result, click Repair to attempt to fix the permissions.
    Note: GPO might undo your repair action. The best and most permanent way to fix permissions issues is to manually assign the appropriate permissions to the folder. (See the following section.)
    PermissionCheckerFail.png
  5. Run the check again to confirm that the repair worked.

    If the repair did not work, manually assign the required permissions to the folder. Use the Permission Checker results to determine which permissions are required. For example, the image above shows that the NETWORK SERVICE account requires write access to the C:\ProgramData\Application Data\SolarWinds folder.

Manually repair permissions

  1. Target Directories: (Should be the same as Anti-Virus exclusions)
    Volume:\InetPub\SolarWinds\
    Volume:\ProgramData\SolarWinds\
    Volume:\Program Files (x86)\Common Files\SolarWinds\
    Volume:\Program Files (x86)\Microsoft SQL Server\
    Volume:\Program Files (x86)\SolarWinds\
    Volume:\Windows\Temp\SolarWinds\
    Volume:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files 
    Volume:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
    Volume:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files 
    Volume:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
  2. Right-click on each of the target directories and select Properties.
  3. Click Security.
  4. Check the Group of the user names list. 
    If it does not exist, you must set the location and add the new principal accounts:
    1. Click Edit
    2. Click Add, and enter the Principal name.  

      The Principal listed in the Orion Permission Checker should exist in this list and must have full control. Local accounts choose a location. By replacing  the domain with your, then make sure the accounts exist: Authenticated UsersIUSR, Network Service)

    3. Click Check Names, and click OK.
    4. Select Full control, and click OK to complete.
  5. Repeat sub-steps (a) to (d) for all rows that do not exist in the Orion Permission Checker. 
  6. Repeat but for the following local accounts: Authenticated UsersIUSR, Network Service.
  7. Re-run the Orion Permission Checker to confirm all users have full control.

    Allow an hour before re-running the Orion Permission Checker. The Group Policy in a domain setting may affect permissions.

  8. Internal Link to Sample CMD script reference the CMD - icacls.exe in Windows for more information

Last modified

Tags

Classifications

Public