How to enable SAP "enhanced monitoring" via Powershell
Published Mar 13 2019 09:39 AM 602 Views
First published on MSDN on Jul 31, 2012

Update Sep 27 2012

bug fix in PS script. An issue showed up using the script on a Windows 2012 server. The script failed to remove an entry
from the two local user groups due to case sensitivity regarding the VM name.

Status Quo

I published a blog beginning of the year which describes what to do to enable SAP “Enhanced Monitoring” without
the need to give admin permissions to virtual machines :

In addition the whole topic is described in SAP note 1409604


The blog mentioned above describes all the steps which are necessary to enable SAP "enhanced monitoring". But
it is a lot of "clicking" which also holds the risk to make mistakes. And admins who like to automate things won't be
happy about the process no matter how well it is described


I put together a little Powershell script which does all the necessary security settings to enable SAP "enhanced
monitoring". It handles all necessary security entries on the Hyper-V host in the three areas which are required :

1. local "Performance Monitor Users" group as well as the "Distributed COM Users" group

2. WMI Control security

3. Authorization Manager ( azman.msc )

The script attached is not an official Microsoft product. There is no support. Take it as it is. Focus was NOT on
programming style or performance. Main goal was to make it robust and hopefully easy-to-use. Another goal
was to avoid loading additional modules - just basic Powershell if possible.
It was tested by a colleague from SAP development as well as a few first customers.

Keep in mind that in case of a Hyper-V cluster the script has to be started on every node on which a SAP VM
might wake up. This means that on a 8-node Hyper-V cluster one has to run the script eight times.

In case someone will find a critical bug or has suggestions how to further improve the script - let me know.
While there is no official Microsoft support I am still open to make some changes.

To use the script just download the attached text file, rename it as you like and change the extension to .ps1


The following section will describe how to use the Powershell script :

Figure 1 : SAP enhanced monitoring on Hyper-V won’t work out-of-the-box. A simple way to check
is by calling transaction ST06 and select “Expert View”. The line of “CPU Virtualization
Host” will not show any details

Figure 2 : clicking on “Processor” in the “CPU Virtualization Host” line as seen on Figure 1 will very
likely cause an error

Figure 3 : once the permissions for the VM ( out of which SAP Enhanced Monitoring will be used )
are set correctly on the Hyper-V host ST06 will show the details about the host CPUs

Figure 4 : just type in the Powershell script name and press RETURN. An error will be reported and
the correct syntax will be shown

Figure 5 : the easiest usage is adding the corresponding permissions for a specific virtual machine.
Use the option “add”, tell the domain and the name of the virtual machine. The script will
display messages about what it did. As long as there are no errors everything will be ok

Figure 6 : adding a VM name the very first time will automatically add a SAP specific role definition
to the azman store. If one adds another VM this role definition already exists and the
script will tell in form of “Information” messages that certain objects already exist.

Figure 7 : use option “remove” to remove the permissions again

Figure 8 : to make life easier when working with many VMs one can create a global
security group on the domain controller

Figure 9 : once the global security group is created add the virtual machines in which SAP
Enhanced Monitoring should be used

Figure 10 : by using the option “-adgrp” it’s possible to use a global AD group as described above
instead of a single VM name

Figure 11 : when removing a specific VM name or an AD group the script will keep the SAP
specific role definition in the azman store. Use the separate option
“remove_azman_role” to get rid of it. In case the script finds existing members
it will ask if the role definition should be really deleted as all member entries will
be gone

Figure 12 : if one will repeat an “add” operation the script will just report “Information”
messages as everything exists already

Figure 13 : the same is valid for operation “remove”. Repeating the same remove call
again will result in Information messages reporting that the entries don’t exist

Figure 14 : as described in SAP note 1409604 there was an “easy” way to enable enhanced
monitoring in the past by simply giving a VM admin permissions.
In case there are entries using this old method the script is able to assist in
migrating these entries. It will provide a list of entries which are very likely
candidates for SAP enhanced monitoring. The user is then allowed to pick the
ones which should be migrated

Figure 15 : to be on the safe side the script will show the selected list of entries again which
should be migrated

Figure 16 : finally the script will migrate the entries which the user selected. These entries will be
removed from the administrators  group and all the appropriate entries as described
above will be done. It works exactly the same way with all the Information messages
in case the entries should already exist

Version history
Last update:
‎Mar 13 2019 09:39 AM
Updated by: