Access is Denied when open Orchestrator Runbook Designer

A client of mine made some changes to the security protocols, so I had to modify the accounts that were permitted to access the Orchestrator Runbook Designer.

When you install Orchestrator you choose which group has access to the Designer, but unlike other System Center Products I work with (SCOM, SCCM) there is no GUI option to change the group. If you want to change the group that has access to the Designer you will have user the Command-Line.

Browse to the install folder of the Orchestrator, for example – C:\Program Files (x86)\Microsoft System Center 2012\Orchestrator goto a sub folder called Management Server and there you will find a file name PermissionsConfig.

Run that file with –Help to get a list of all the possible parameters and you’ll find there aren’t so many 🙂

Lets say you want to add a group called “Domain\SCO_Admins” as managers, run the following:

PermissionsConfig –OrchestratorUsersGroup “Domain\SCO_Admins”

If you want to grant them ability to conenect from remote, add -remote:

PermissionsConfig –OrchestratorUsersGroup “Domain\SCO_Admins” -remote


[notice]Make sure that you are a member of the particular group prior to running the command – the command does not add a group to the existing list, it replaces it…[/notice]


Once I ran the command I’ve tried opening the Runbook Designer with one of the users who’s a member of that group  – but no luck! I kept getting pesky Access is Denied error.


I then found the solution in the following Microsoft Article.

All I had to do is to run sc stop omanagement and sc start omanagement and I was able to open the Runbook Designer with that user.


  1. This problem is also caused if account you are trying to connect with does not have access to the DB of orchestrator server.

What do you think about this post?