Follow

How Do I Configure & Manage WMI Credentials?

Question:

How Do I Configure & Manage WMI Credentials?

Answer:

Monitoring Windows systems through WMI requires valid credentials with Administrator privileges (or specific WMI and DCOM querying permissions at a minimum). Traverse provides two ways of managing the credentials for WMI monitoring:

Single Domain/Local Account Through Service Credentials
All WMI queries in Traverse are routed through the WMI Query Daemon. For Windows DGEs this is typically installed locally on the DGE. For Linux/Solaris installations, a separate WMI proxy server runs the Query Daemon to proxy requests from the UNIX Traverse DGE to the Windows servers.

In a situation where all systems monitored by a given DGE are on the same domain (or use the same local account credentials), a single set of credentials can be used. The WMI Query Daemon runs as a Windows service, and the log on property of the service (Start -> Run -> services.msc -> WMI Query Daemon -> Properties -> Log On tab) will also be used as the default credentials for all WMI queries. If the WMI monitor instance has any credentials specified, they override the service log on property, so the monitoring instance must be left empty (no user/password) to default to the Log On service credentials. In this scenario, typically a "service" account with domain-wide WMI privileges is created for monitoring purposes.

The main benefit to this approach is that credentials only ever need be updated in the service settings rather than on a device-by-device basis. However, it also assumes a single set of credentials can be used on all servers which is not always practical.

Multi-domain/Local Accounts Through Monitor Instance
In environments where each individual server or set of servers requires separate credentials, each device can store it's own unique settings. When adding WMI tests, a 'monitor instance' is created. This instance stores the username and password for all WMI tests assigned to it. These settings override any service log on rights, so can also be used in cases where most machines belong to a domain but there a handful of systems outside the domain.

Monitor instance settings are individual to each set of tests, which provides the greatest flexibility. However, in the event credentials change, each individual monitor instance will need to be updated, which can be inconvenient for large numbers of systems. Generally service credentials should be preferred and monitor instance settings used only as necessary to override them.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.