For non-admin users to perform WMI monitoring in OpManager, the user profiles need to be configured accordingly in your network. This can be done:

1. On a device level (configuring individual devices) - Link to KB
   
2. On a domain level (configuring the details in the AD server and then pushing it to network devices)
   

1. Adding the domain user to Local Administrators group using GPO
   

2. Granting DCOM Remote Access, Launch and Activation permissions using GPO, and configuring permissions on WMI namespaces to enable remote WMI connection
   

1. Adding the domain user to local Administrators group using GPO:

• Create a new domain user and name it as 'wmiuser'.
  

• Also create a new security group and name it as 'Local Admins'.
  

• Make the new user 'wmiuser' as a member of the 'Local Admins' group.
  

• Now, open the Group Policy Management console and create a GPO by right-clicking on Group Policy Objects. Name it as 'Local Admins GPO'.
  

• Right-click on the Local Admins GPO and click 'Edit'. This will open the Group Policy Management Editor. Drill down to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
  

• Choose 'Add Group' by right-clicking on the Restricted Groups, and then click on 'Browse'.
  

• Here, type 'Local Admins' (the new group created) and click 'Check Names'. Then click 'OK' twice to proceed further.
  

• In the Configure Membership window, click the 'Add button' to the right of the 'This group is a member of' section and click 'Browse'.
  

• Type 'Administrators' and click OK twice. Then, click Apply and close the Group Policy Management Editor.
  

• Now, link 'Local Admins GPO' to the appropriate Computers/Servers OU to add the 'Local Admins' domain group into corresponding machines 'Local Administrators' group.
  

2. Granting DCOM Remote Access, Launch and Activation permissions using GPO, and configuring permissions on WMI namespaces to enable remote WMI connection

Note that when implementing this method, some steps need to be performed manually on every machine that needs to be monitored, as not all actions required can be performed using GPO.

• Create a new domain user and name it as 'wmiuser'.
  

• Now, open Group Policy Management console and create a GPO by right-clicking on 'Group Policy Objects'. Name it as 'WMI DCOM rights GPO'.
  

• Right-click on the 'WMI DCOM rights' GPO and click 'Edit'. This will open the Group Policy Management Editor. Now drill down to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  

• Double-click on 'DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax' policy and make sure 'Define this policy setting' is checked.
  

• Choose 'Edit Security'. Click Add and type 'wmiuser', click Check Names and then click OK.
  

• Select 'wmiuser' and check 'Local Access and Remote Access'. Click OK twice.
  

• Now, double click on 'DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax' policy and make sure 'Define this policy setting' is checked.
  

• Choose 'Edit Security'. Click Add and type 'wmiuser', click Check Names and then click OK.
  

• Select 'wmiuser' and ensure Local Launch, Remote Launch, Local Activation and Remote Activation are checked. Then click OK twice.
  

• Now, link 'WMI DCOM rights GPO' to the appropriate Computers/Servers OU to apply the selected DCOM policies.
  

If the GPO is not applied, select the "Enforce GPO option" to yes for the created GPO in Group policy management console.

Rights for WMI namespace:

• These steps need to be performed at the device level only.

To configure the required rights for the namespace, follow the below steps by which access is provided for all classes under all namespaces for the user to enable OpManager to fetch those data using WMI.

1. Click Start → Run, type wmimgmt.msc and click OK.
   
2. Right-click WMI Control (Local) to bring up the menu, and click Properties.
   

3. Click over to the Security tab, then click Root, and click the Security button.
   

4. Click Add.
   

5. Under 'Enter the object names to select', type 'wmiuser' (user created above) without quotes, click Check Names, then click OK.
   

6. Make sure the wmiuser is selected, and click Advanced.
   

7. Highlight the row with wmiuser in it and click Edit.
   

8. From the 'Applies to' drop-down list, select 'This namespace and subnamespaces'.
   

9. Under the 'Allow' column, check Execute Methods, Enable Account and Remote Enable, and then click OK.
   

10. Click OK to close all windows.
    

Additional settings (if Windows Service monitors are not fetched properly):

• These steps need to be performed at the device level only.
  

• To enable Windows Service monitors to be fetched without any issues, follow the steps under  'Set permissions to Service Control Manager Security for Windows Service Monitoring' in this help article.