Configuring non-admin user account for WMI monitoring

Configuring non-admin user account for WMI monitoring


How to set up WMI monitoring without domain admin or local admin credentials



Windows will only allow members of the Administrators or Domain Admin groups to read WMI class information by default. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be monitored.

The following steps have been tested with:

Windows Server 2003 R2 Service Pack 2
Windows Server 2008 R2 Datacenter
Windows Server 2012 R2 Standard
Windows Server 2016 Standard
Windows Server 2019
Windows Server 2022

First, we have to add the regular user account to the Distributed COM Users group and the Performance Monitor Users group.

1. Click Start>Run..., type lusrmgr.msc and click OK

2. In the Users folder, right click the user to bring up the menu, and select Properties.

3. Click over to the Member Of tab, and click Add...

4. Under "Enter the object names to select", add the Distributed COM Users group, click Check Names, then click OK.

5. Click Add...

6. Repeat step 4 for the Performance Monitor Users group.

Next, we have to configure the DCOM Security Settings to allow the groups to access the system remotely.

7. Click Start>Run..., type dcomcnfg and click OK

8. Drill down into the "Component Services" tree until you get to "My Computer". Right-click "My Computer" to bring up the menu, and click Properties.

9. Click the COM Security tab, then click Edit Limits under the "Launch and Activation Permissions" Section

10. Click Add...

11. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK.

12. Click Add...

13. Under "Enter the object names to select", type Performance Monitor Users, click Check Names, then click OK.

14. Check "Allow" for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK.


Finally, we have to set the WMI Control security settings to be applied to all namespaces.

15. Click Start>Run..., type wmimgmt.msc and click OK

16. Right-click WMI Control (Local) to bring up the menu, and click Properties.

17. Click over to the Security tab, then click Root, and click the Security button.

18. Click Add...

19. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK.

20. Click Advanced.

21. Highlight the row with Distributed COM Users in it and click "Edit..."

22. From the drop-down list, select "This namespace and subnamespaces"

23. Under the Allow column check "Execute Methods", "Enable Account", and "Remote Enable"

24. Repeat steps 16-23 for the Performance Monitor Users group.

25. Click OK to close all windows.

If you are using Windows Server 2003 SP1 or later, you will have to run the following steps to access the Win32_Service class due to a known issue ( Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1 ):

26. Open a command prompt (must be invoked in the "Run as administrator" mode).

27. Type the following command at the command prompt and then press Enter:

NOTE: Although we have set the Service Control Manager permissions in step 27, the security settings for individual services may have more restrictive permissions, and you would need to set the security using "sc sdset" for the individual service that you wish to query. For example:

Be sure to enclose <service_name> in quotes if the name contains spaces.

28.  Log in to the remote machine as non-admin user.

In the command window, type: 
Sc sdshow scmanager

The output should look like this:


To have more control over this, copy this string into a text editor, such as Notepad.

In the command window, type:
whoami /USER /FO LIST
User information is returned, including the user name and SID.

In a text editor, use this SID to construct a new permission section (where x = the SID):

Add it to the service permission string you copied earlier into D: section:

Enter the following into the command window:

sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;LC;;;S-1-5-21-4210608438-308412881-3689030730-1105)(A;;CC;;;AC)

Note: The proper syntax is sc sdset <service> <security> and you should run this command for each service that is not affected by the previous steps.

You should now be able to perform WMI monitoring with the regular user account.

                    New to ADSelfService Plus?