System Diagnostics from Dynamics Lifecycle Services is a really handy tool – it collects data about your Dynamics AX environments and warns you if your setup is not optimal from performance perspective, if a number sequence is running out of available numbers, if batches are failing and so on. It allows you to act proactively, rather than waiting for something serious to happen.
The only problem with this tool is configuration, because you have to grant the service account permissions to quite a few things, but you typically don’t want to allow everything. The recommended configuration therefore cherry-picks individual items to set permissions for, such as individual registry keys. It’s well-documented, unfortunately it still consists of a large number of manual steps and it’s very easy to do something wrong, especially if you have many servers to configure.
Below you can find scripts automating a few tasks, such as adding the service account to necessary user groups. It’s by no means exhaustive and you’ll still have to do many things manually, but it’s better than nothing. I didn’t mean it as any ambitious project; I merely implemented a few easy wins last time when I was configuring System Diagnostics – and now I’m sharing it with you.
Examples below expect that you’ve set variables with the domain and service account name:
$domain = 'MyDomain' $accountName = 'LcsServiceAccount'
You’ll likely need to run the scripts “As administrator”.
# Adds system diagnostics service account to AX Function Add-LcsAccountToAX { Param( [Parameter(Mandatory=$True)] [string]$User, [Parameter(Mandatory=$True)] [string]$Domain, [string]$AxUserId = 'LcsDiag' ) # Requires AX management module (e.g. running in AX management shell) New-AXUser -UserName $AccountName -UserDomain $Domain -AXUserId $AxUserId -AccountType WindowsUser Add-AXSecurityRoleMember -AxUserID $AxUserId -AOTName SysBusinessConnectorRole } # Usage: Add-LcsAccountToAX -User $accountName -Domain $domain
# Grants access to registry keys Set-RegistryReadPemissions { Param( [Parameter(Mandatory=$True)] [string]$Account, [Parameter(Mandatory=$True)] [string]$RegKey ) $rule = New-Object System.Security.AccessControl.RegistryAccessRule ($Account,'ReadKey','ObjectInherit,ContainerInherit','None','Allow') $acl = Get-Acl $RegKey $acl.SetAccessRule($rule) $acl | Set-Acl } # Usage: $domainAccount = "$domain$accountName" # Run on AOS server Set-RegistryReadPemissions -Account $domainAccount -RegKey 'HKLM:\System\CurrentControlSet\services\Dynamics Server.0' # Run on database server Set-RegistryReadPemissions -Account $domainAccount -RegKey 'HKLM:\System\CurrentControlSet\Control\PriorityControl'
# Adds service account to Windows user groups Function Add-DomainUserToLocalGroup { Param( [Parameter(Mandatory=$True)] [string[]]$Group, [Parameter(Mandatory=$True)] [string]$User, [Parameter(Mandatory=$True)] [string]$Domain, [string]$Computer = $Env:ComputerName ) foreach ($g in $Group) { $adsi = [ADSI]"WinNT://$computer/$g,group" $adsi.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path) } } # Usage: $groups = 'Event Log Readers','Distributed COM Users','Performance Monitor Users' Add-DomainUserToLocalGroup -Group $groups -Domain $domain -User $accountName