Configuring a non admin user for WMI monitoring

Configuring a non admin user for WMI monitoring

Configuring a non-admin user for WMI monitoring

You can configure a regular Windows user to access WMI information by adding the necessary user account to the Distributed COM Users and the Performance Monitor Users group using lusrmgr.msc, and then configuring the DCOM security settings to allow the groups to access the system remotely (using dcomcnfg).

Note:  These configurations are required to be performed in the User profiles of the client devices that are to be monitored.

Configuring Distributed COM Users in Local user and Groups Setting:

To begin with, we are adding the DCOM user group in our local user settings.

  1. 1. Click Start → Run, type  lusrmgr.msc  and click OK.
  2. 2. In the Users folder, right-click the user to bring up the menu, and select  Properties .
  3. 3. Click over to the  Members of  tab, and click  Add .
  4. 4. Under 'Enter the object names to select', type  'Distributed COM Users'  (without quotes), click  Check Names , then click  OK .
  5. 5. Click  Add .
  6. 6. Repeat steps 3-5 for the  Performance Monitor Users  group and  Event Log Readers  group.

Configuring the DCOM Security Settings to allow the groups to access the system remotely:

Next, we're providing basic access permissions to the user groups (Distributed COM Users and Performance Monitor Users) to be able to gain control of the device remotely.

  1. 7. Click  Start → Run , type  dcomcnfg  and click OK.
  2. 8. Drill down into the  Component Services tree  until you get to My Computer. Right-click ' My Computer'  to bring up the menu, and click  Properties .
  3. 9. Click the COM Security tab, then click  Edit Limits  under the  Launch and Activation Permissions  section.
  4. 10. Click Add.
  5. 11. Under 'Enter the object names to select', type  'Distributed COM Users'  (without quotes), click  Check Names , then click  OK .
  6. 12. Click  Add .
  7. 13. Repeat steps 9-12 for the  Performance Monitor Users  group.
  8. 14. Check  Allow  for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click  OK .

Setting the WMI Control security settings to be applied to all namespaces:

Finally, access is provided for all classes under all namespaces for both the user groups, in order to enable OpManager to fetch those data using WMI.

  1. 15. Click  Start → Run , type  wmimgmt.msc  and click OK.
  2. 16. Right-click WMI Control (Local) to bring up the menu, and click  Properties .
  3. 17. Click over to the Security tab, then click  Root , and click the  Security  button.
  4. 18. Click  Add .
  5. 19. Under 'Enter the object names to select', type  'Distributed COM Users'  (without quotes), click  Check Names , then click  OK .
  6. 20. Make sure the Distributed COM Users group is selected, and click  Advanced .
  7. 21. Highlight the row with  Distributed COM Users  in it and click  Edit .
  8. 22. From the ' Applies to ' drop-down list, select  'This namespace and subnamespaces' .
  9. 23. Under the 'Allow' column, check  Execute Methods, Enable Account  and  Remote Enable , and then click  OK .
  10. 24. Repeat steps 17-23 for the  Performance Monitor Users  group.
  11. 25. Click  OK  to close all windows.

Set permissions to Service Control Manager Security for Windows Service Monitoring:

If you wish to monitor whether Windows Service monitors are up/down, you need to grant permission to SCManager. The access to the Windows services is controlled by the Security Descriptor of Service Control Manager, which by default is restricted for hardened OS. The below mentioned steps will grant remote access to Service Control Manager in user level, to get the list of services on a server.

  1. Retrieve the user SID of the User Account
    1. From the monitored device, open Command Prompt in Administrator mode.
    2. Run the below command to retrieve the user SID. Replace UserName with the user name for the User account.

      wmic useraccount where name="UserName" get name,sid


      wmic useraccount where name="administrator" get name,sid

    3. Note down the SID. (Ex. S-1-0-10-200000-30000000000-4000000000-500)
  2. Retrieve the current SDDL for the SC Manager
    1. Run the below command which will save the current SDDL for the SC Manager to the CurrentSDDL.txt.

      sc sdshow scmanager > CurrentSDDL.txt

    2. Edit the CurrentSDDL.txt and copy the entire content.
    3. The SDDL will be look like below:


  3. Update the SDDL:
    1. Frame new SDDL snippet for above SID

      (A;;CCLCRPWPRC;;; <SID of User> )



    2. Now place this snippet in before "S:" of original SDDL.
    3. Updated SDDL will be like this:


  4. Finally Execute the below command with Updated SDDL:

    sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  1. If some windows services are still not listed, permissions have to be granted for individual services as below.
    1. For setting permission on RPC Endpoint Mapper (ServiceName: RpcEptMapper), run the following command, to get its current SDDL.
    2. sc sdshow RpcEptMapper > CurrentSDDL.txt

    3. Then form the SDDL as in the above step and update it as the following
    4. sc sdset RpcEptMapper <SDDL formed in above step>

    5. Once done, check if the Windows Service is listed. 

  2. This will grant the following permissions to the user:
    CC - To Get Service's current configuration
    LC - To Get Service's current status
    RP - To Read Properties/Start the Service
    WP - To Write Properties/Stop the Service
    RC - To Read the Security Descriptor.