Set permissions to Service Control Manager Security for Non-Admin Domain user in Windows Service Monitoring (WMI)

Set permissions to Service Control Manager Security for Non-Admin Domain user in Windows Service Monitoring (WMI)

To set user-level permission to a non-admin account to fetch Services from a remote Windows Server, follow the steps given below:

1. Log into the remote Windows Machine with the non-admin account user credentials. 
2. Open command prompt in Administrator mode, from C:\WINDOWS\system32> path and execute the below command. Then, take note of the SID of the username in a notepad.
wmic useraccount where name="UserName" get name,sid
NOTE: Please ensure that you replace the UserName with the user name for the Non-Admin User account.
3. Logout and login to the remote Windows Server as default Administrator. Open command prompt in Administrator mode and execute the below command. Cross-check if the SID matches with the one that you have made note of earlier.
wmic useraccount where name="UserName" get name,sid
NOTE: Please ensure that you replace the UserName with the user name for the Non-Admin User account.
4. Navigate to C:\WINDOWS\system32> and execute the below command:
sc sdshow scmanager > CurrentSDDL.txt
A text file called CurrentSDDL.txt will be created. You can take a backup of this file which will be available under the C:\WINDOWS\system32 directory.

5. Open the CurrentSDDL.txt file and check if it is in the SDDL format.
Eg. It might look like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

6. Copy the SDDL contents of the file into a notepad.

7. To create a new SDDL snippet for the SID of the non-Admin account, use the following format where you have to replace the SID of the user.
 (A;;CCLCRPWPRC;;;<SID of User>)

Eg: (A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)

8: Place this snippet in the CurrentSDDL.txt file before "S:".
The updated SDDL will look like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

9. To set user-level permission, navigate to C:\WINDOWS\system32> in command prompt as administrator, and run the below command with the updated SDDL:
sc sdset scmanager <D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)>
where you can replace the contents within <> with the updated SDDL.

10. Once the command is executed completely in the Applications Manager installed machine, connect to the remote Windows Server via Wbemtest using the non-admin user account for which you just set user-level permissions.

11. Click on the Query button in the Wbemtest tool and execute the below command and check if output is received
select * from win32_service

12. Once the data is available for the above query, please go to AppManager and check if Services are listed for Windows Server Monitor.
        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                  See all integrations
                  New to ADManager Plus?

                    New to ADSelfService Plus?

                    Start your free trial

                      • Related Articles

                      • Configuring non-admin user account for WMI monitoring

                        QUESTION: How to set up WMI monitoring without domain admin or local admin credentials RESOLUTION: Windows will only allow members of the Administrators or Domain Admin groups to read WMI class information by default. However, you can configure a ...

                      • Setting WMI access through Active Directory and Group Policy Object for non-admin user

                        In our case, we run Active Directory on Windows 2008 R2 and we want to scan the target machine which is Windows 2012 R2 machine. Our domain is called “APMCLU” and we name our dedicated WMI user-account “wmiuser”. First – Setting done from Active ...

                      • Steps to verify WMI access for Non-Admin Domain user

                        This guide provides how to enable and test WMI access with a regular domain user without generic admin rights. Make sure you have followed the steps in the article Setting WMI access through Active Directory & Group Policy Object. This ensures you ...

                      • Permissions required for Non-Admin user to monitor Microsoft Monitors

                        1) To enable WMI permissions for the non admin account follow the steps mentioned in the below link. https://pitstop.manageengine.com/portal/en/kb/articles/configuring-non-admin-user-account-for-wmi-monitoring As an alternative to Steps 1-6 in the ...

                      • WMI-Configure Non-Admin User Account for WMI based Monitors

                        1)Add the user(s) in question to the Performance Monitor Users group 2)Run wmimgmt.msc Under Services and Applications, bring up the properties dialog of WMI Control In the Security tab, highlight Root\CIMV2, click Security; add Performance Monitor ...

                        Related Products