Configuring non-admin user account for WMI monitoring

Configuring non-admin user account for WMI monitoring

Windows will only allow members of the Administrators or Domain Admin groups to read WMI class information by default. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be monitored.
This solution has been tested with the following:
  1. Windows Server 2003 R2 Service Pack 2
  2. Windows Server 2008 R2 Datacenter
  3. Windows Server 2012 R2 Standard
  4. Windows Server 2016 Standard
  5. Windows Server 2019
  6. Windows Server 2022

Configure the Distributed COM Users in the Local User and Groups setting

1. Go to Start → Run, type lusrmgr.msc and click on OK.

2. Go to the Users folder, right click a username to bring up the menu, and select Properties.

3. Go to the Member Of tab and click on Add.

4. In the 'Enter the object names to select' field , enter Distributed COM Users, click on Check Names, and select OK.   

5. Click on Add.

6. Repeat step 4 for the Performance Monitor Users group.

Configure the DCOM Security Settings to allow the groups to access the system remotely

7. Go to Start → Run, type in dcomcnfg and click OK.

8. Go to Component Services → Computers → My Computer. Right-click on My Computer to bring up the menu, and click on Properties.

9. Click on the COM Security tab and select Edit Limits under the 'Launch and Activation Permissions' section.

10. Click on Add.

11. In the 'Enter the object names to select' field, type in Distributed COM Users, click on Check Names, and select OK.

12. Click on Add.

13. Repeat steps 9-12 for the Performance Monitor Users group.

14. Check the Allow button for each of the permissions required (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK.

Set the WMI Control security settings to be applied to all namespaces

Finally, we have to set the WMI Control security settings to be applied to all namespaces.
15. Go to Start → Run, type wmimgmt.msc and click OK.

16. Right-click on WMI Control (Local) to bring up the menu, and click on Properties.

17. Go to the Security tab, select Root, and click on the Security button.

18. Click Add.

19. In the 'Enter the object names to select' field, type in Distributed COM Users, click on Check Names, and select OK.

20. Make sure that the Distributed COM Users group has been selected and click on Advanced.

21. Highlight the row with Distributed COM Users in it and click on Edit.

22. In the Applies to drop-down list, select 'This namespace and subnamespaces'.

23. In the Allow column, check 'Execute Methods', 'Enable Account', and 'Remote Enable', and click OK.

24. Repeat steps 16-23 for the Performance Monitor Users group.

25. Click OK and close all the windows.

Set permissions to Service Control Manager Security for Windows Service Monitoring:

Retrieve the user SID of the User Account
  1. In the monitored device, open Command Prompt in Administrator mode.
  2. Run the following command to retrieve the User SID. Replace 'UserName' with the username of the user's account.   
wmic useraccount where name="UserName" get name,sid
  1. Note down the SID. For example: S-1-0-10-200000-30000000000-4000000000-500.
Retrieve the current SDDL for the SC Manager
  1. Run the following command to save the current SDDL for the SC Manager in CurrentSDDL.txt
sc sdshow scmanager > CurrentSDDL.txt
  1. Edit the CurrentSDDL.txt and copy the contents of the file.
  2. The SDDL will look like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Update the SDDL
  1. Frame a new SDDL snippet for the above SID. 
(A;;CCLCRPWPRC;;; <SID of User> )
  1. Now, place this snippet before the 'S' of the original SDDL. The updated SDDL will look something like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Execute the following command with the updated SDDL:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
If some of the Windows services are not listed, permissions can be granted for individual services by following the steps below:
  1. To enable permission for RPC Endpoint Mapper (ServiceName: RpcEptMapper), run the following command, and get its current SDDL.
sc sdshow RpcEptMapper > CurrentSDDL.txt
  1. Next, form the SDDL as instructed in the above step and update it as following:
sc sdset RpcEptMapper <SDDL formed in above step>
  1. Once done, check if the required Windows Service is listed in the content. 
This will grant the user the following permissions:
  1. CC - Get the service's current configuration
  2. LC - Get the service's current status
  3. RP -  Read the properties/Start the service
  4. WP - Write the properties/Stop the service
  5. RC - Read the security descriptor



      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products