Configuring a non-admin user for WMI monitoring (domain level)
For non-admin users to perform WMI monitoring in OpManager, the user profiles need to be configured accordingly in your network. This can be done:
- On a device level (configuring individual devices) - Link to KB
- On a domain level (configuring the details in the AD server and then pushing it to network devices)
Adding the domain user to Local Administrators group using GPO
Granting DCOM Remote Access, Launch and Activation permissions using GPO, and configuring permissions on WMI namespaces to enable remote WMI connection
1. Adding the domain user to local Administrators group using GPO:
Create a new domain user and name it as 'wmiuser'.
Also create a new security group and name it as 'Local Admins'.
Make the new user 'wmiuser' as a member of the 'Local Admins' group.
Setting up GPO:
Now, open the Group Policy Management console and create a GPO by right-clicking on Group Policy Objects. Name it as 'Local Admins GPO'.
Right-click on the Local Admins GPO and click 'Edit'. This will open the Group Policy Management Editor. Drill down to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
Choose 'Add Group' by right-clicking on the Restricted Groups, and then click on 'Browse'.
Here, type 'Local Admins' (the new group created) and click 'Check Names'. Then click 'OK' twice to proceed further.
In the Configure Membership window, click the 'Add button' to the right of the 'This group is a member of' section and click 'Browse'.
Type 'Administrators' and click OK twice. Then, click Apply and close the Group Policy Management Editor.
Now, link 'Local Admins GPO' to the appropriate Computers/Servers OU to add the 'Local Admins' domain group into corresponding machines 'Local Administrators' group.
Wait for some time until the updated GPO details are synced with your machines, and then you can start using this user for WMI monitoring in OpManager.
2. Granting DCOM Remote Access, Launch and Activation permissions using GPO, and configuring permissions on WMI namespaces to enable remote WMI connection
Note that when implementing this method, some steps need to be performed manually on every machine that needs to be monitored, as not all actions required can be performed using GPO.
Create a new domain user and name it as 'wmiuser'.
Setting up GPO:
Now, open Group Policy Management console and create a GPO by right-clicking on 'Group Policy Objects'. Name it as 'WMI DCOM rights GPO'.
Right-click on the 'WMI DCOM rights' GPO and click 'Edit'. This will open the Group Policy Management Editor. Now drill down to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
Double-click on 'DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax' policy and make sure 'Define this policy setting' is checked.
Choose 'Edit Security'. Click Add and type 'wmiuser', click Check Names and then click OK.
Select 'wmiuser' and check 'Local Access and Remote Access'. Click OK twice.
Now, double click on 'DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax' policy and make sure 'Define this policy setting' is checked.
Choose 'Edit Security'. Click Add and type 'wmiuser', click Check Names and then click OK.
Select 'wmiuser' and ensure Local Launch, Remote Launch, Local Activation and Remote Activation are checked. Then click OK twice.
Now, link 'WMI DCOM rights GPO' to the appropriate Computers/Servers OU to apply the selected DCOM policies.
-
These steps need to be performed at the device level only.
- Click Start → Run, type wmimgmt.msc and click OK.
- Right-click WMI Control (Local) to bring up the menu, and click Properties.
Click over to the Security tab, then click Root, and click the Security button.
Click Add.
Under 'Enter the object names to select', type 'wmiuser' (user created above) without quotes, click Check Names, then click OK.
Make sure the wmiuser is selected, and click Advanced.
Highlight the row with wmiuser in it and click Edit.
From the 'Applies to' drop-down list, select 'This namespace and subnamespaces'.
Under the 'Allow' column, check Execute Methods, Enable Account and Remote Enable, and then click OK.
Click OK to close all windows.
Additional settings (if Windows Service monitors are not fetched properly):
-
These steps need to be performed at the device level only.
-
To enable Windows Service monitors to be fetched without any issues, follow the steps under 'Set permissions to Service Control Manager Security for Windows Service Monitoring' in this help article.
New to ADSelfService Plus?
Related Articles
Configuring a non admin user for WMI monitoring
Configuring a non-admin user for WMI monitoring You can configure a regular Windows user to access WMI information by adding the necessary user account to the Distributed COM Users and the Performance Monitor Users group using lusrmgr.msc, and then ...Configuring threshold values for disk partitions in OpManager
For the Servers, we discover Disk utilization using both WMI and SNMP. Also, we monitor the drive partitions that are available in those Servers. The customers found this very ...Configuring thresholds on the devices monitored in OpManager
How to monitor Windows 2012 Server using local admin account?
Windows 2012 server can not be monitored using local admin account from a remote machine. We have to follow these steps on the monitored server to allow remote WMI polling for the local admin account. If you want to use a local user to monitor the ...WMI credentials does not pass with error "RPC Server Unavailable"
Steps to troubleshoot "RPC Server Unavailable Error" when adding Windows Server through WMI mode in OpManager. 1) Try to add the server using domain-name\username and with username alone. 2) Check whether you are able to ping the remote windows ...