Configuring A Regular (non-admin) User Account For WMI Monitoring

QUESTION

How to set up WMI monitoring without domain admin or local admin credentials

RESOLUTION

Windows will only allow members of the Administrators or Domain Admin groups to read WMI class information by default. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be monitored.

The following steps have been tested with:

  • Windows Server 2003 R2 Service Pack 2
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2012 R2 Standard
  • Windows Server 2016 Standard

First, we have to add the regular user account to the Distributed COM Users group and the Performance Monitor Users group.

1. Click Start>Run, type lusrmgr.msc and click OK

2. In the Users folder, right-click the user to bring up the menu and select Properties.

3. Click over to the Member Of tab, and click Add.

4. Under "Enter the object names to select", add the Distributed COM Users group, click Check Names, then click OK.

5. Click Add.

6. Repeat step 4 for the Performance Monitor Users group.

non_admin.JPG

Next, we have to configure the DCOM Security Settings to allow the groups to access the system remotely.

7. Click Start>Run..., type dcomcnfg, and click OK

8. Drill down into the "Component Services" tree until you get to "My Computer". Right-click "My Computer" to bring up the menu, and click Properties.

9. Click the COM Security tab, then click Edit Limits under the "Launch and Activation Permissions" Section

10. Click Add.

11. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK.

12. Click Add.

13. Under "Enter the object names to select", type Performance Monitor Users, click Check Names, then click OK.

14. Check "Allow" for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK.

 

non_admin1.JPGFinally, we have to set the WMI Control security settings to be applied to all namespaces.

15. Click Start>Run, type wmimgmt.msc and click OK

16. Right-click WMI Control (Local) to bring up the menu, and click Properties.

17. Click over to the Security tab, then click Root, and click the Security button.

18. Click Add.

19. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK.

20. Click Advanced.

21. Highlight the row with Distributed COM Users in it and click "Edit..."

22. From the drop-down list, select "This namespace and subnamespaces"

23. Under the Allow column check "Execute Methods", "Enable Account", and "Remote Enable"

24. Repeat steps 16-23 for the Performance Monitor Users group.

25. Click OK to close all windows.

non_admin2.JPGIf you are using Windows Server 2003 SP1 or later, you will have to run the following steps to access the Win32_Service class due to a known issue ( Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1 ):

26. Open a command prompt (must be invoked in the "Run as administrator" mode).

27. Type the following command at the command prompt and then press Enter:

CODE

sc.exe sdset SCMANAGER "D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
NOTE: Although we have set the Service Control Manager permissions in step 27, the security settings for individual services may have more restrictive permissions, and you would need to set the security using "sc sdset" for the individual service that you wish to query. For example:

Capture.JPG

CODE

sc.exe sdset <service_name> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Be sure to enclose <service_name> in quotes if the name contains spaces.

If the computer is joined to an Active Directory domain, the permissions can also be modified via the Group Policy Editor. Please see "Managing Permissions" at Managing Permissions for more information.

You should now be able to perform WMI monitoring with the regular user account.

APPLIES TO

All versions of Traverse

Have more questions?

Contact us

Was this article helpful?
1 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section