Configuring a non-admin user for WMI monitoring (domain level)

Configuring a non-admin user for WMI monitoring (domain level)

For non-admin users to perform WMI monitoring in OpManager, the user profiles need to be configured accordingly in your network. This can be done:

  1. On a device level (configuring individual devices) - Link to KB
  2. On a domain level (configuring the details in the AD server and then pushing it to network devices)
This help article describes in detail about method 2 - the process to configure a non-admin user for WMI monitoring on a domain level.

 



This can be achieved in 2 ways:
  1. Adding the domain user to Local Administrators group using GPO

  2. Granting DCOM Remote Access, Launch and Activation permissions using GPO, and configuring permissions on WMI namespaces to enable remote WMI connection

1. Adding the domain user to local Administrators group using GPO:

  • Create a new domain user and name it as 'wmiuser'.

  • Also create a new security group and name it as 'Local Admins'.

  • Make the new user 'wmiuser' as a member of the 'Local Admins' group.

Setting up GPO:

  • Now, open the Group Policy Management console and create a GPO by right-clicking on Group Policy Objects. Name it as 'Local Admins GPO'.

  • Right-click on the Local Admins GPO and click 'Edit'. This will open the Group Policy Management Editor. Drill down to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.

  • Choose 'Add Group' by right-clicking on the Restricted Groups, and then click on 'Browse'.

  • Here, type 'Local Admins' (the new group created) and click 'Check Names'. Then click 'OK' twice to proceed further.

  • In the Configure Membership window, click the 'Add button' to the right of the 'This group is a member of' section and click 'Browse'.

  • Type 'Administrators' and click OK twice. Then, click Apply and close the Group Policy Management Editor.

  • Now, link 'Local Admins GPO' to the appropriate Computers/Servers OU to add the 'Local Admins' domain group into corresponding machines 'Local Administrators' group.

Wait for some time until the updated GPO details are synced with your machines, and then you can start using this user for WMI monitoring in OpManager.


2. Granting DCOM Remote Access, Launch and Activation permissions using GPO, and configuring permissions on WMI namespaces to enable remote WMI connection


Note that when implementing this method, some steps need to be performed manually on every machine that needs to be monitored, as not all actions required can be performed using GPO.

  • Create a new domain user and name it as 'wmiuser'.

Setting up GPO:

  • Now, open Group Policy Management console and create a GPO by right-clicking on 'Group Policy Objects'. Name it as 'WMI DCOM rights GPO'.

  • Right-click on the 'WMI DCOM rights' GPO and click 'Edit'. This will open the Group Policy Management Editor. Now drill down to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

  • Double-click on 'DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax' policy and make sure 'Define this policy setting' is checked.

  • Choose 'Edit Security'. Click Add and type 'wmiuser', click Check Names and then click OK.

  • Select 'wmiuser' and check 'Local Access and Remote Access'. Click OK twice.

  • Now, double click on 'DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax' policy and make sure 'Define this policy setting' is checked.

  • Choose 'Edit Security'. Click Add and type 'wmiuser', click Check Names and then click OK.

  • Select 'wmiuser' and ensure Local Launch, Remote Launch, Local Activation and Remote Activation are checked. Then click OK twice.

  • Now, link 'WMI DCOM rights GPO' to the appropriate Computers/Servers OU to apply the selected DCOM policies.


Rights for WMI namespace:

  1. These steps need to be performed at the device level only.

  • To configure the required rights for the namespace, follow the steps under 'Setting the WMI Control security settings to be applied to all namespaces' in this help article.

Additional settings (if Windows Service monitors are not fetched properly):

  • These steps need to be performed at the device level only.

  • To enable Windows Service monitors to be fetched without any issues, follow the steps under 'Set permissions to Service Control Manager Security for Windows Service Monitoring' in this help article.

Wait for some time until the updated GPO details are synced with your machines, and then you can start using this user for WMI monitoring in OpManager.