Configuring non-admin user account for WMI monitoring
QUESTION:
How to set up WMI monitoring without domain admin or local admin credentials
RESOLUTION:
Windows will only allow members of the Administrators or Domain Admin groups to read WMI class information by default. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be monitored.
The following steps have been tested with:
Windows Server 2003 R2 Service Pack 2
Windows Server 2008 R2 Datacenter
Windows Server 2012 R2 Standard
Windows Server 2016 Standard
How to set up WMI monitoring without domain admin or local admin credentials
RESOLUTION:
Windows will only allow members of the Administrators or Domain Admin groups to read WMI class information by default. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be monitored.
The following steps have been tested with:
Windows Server 2003 R2 Service Pack 2
Windows Server 2008 R2 Datacenter
Windows Server 2012 R2 Standard
Windows Server 2016 Standard
Windows Server 2019
Windows Server 2022
-------------------------------------------------------------------------------------------------------------------------------
First, we have to add the regular user account to the Distributed COM Users group and the Performance Monitor Users group.
-------------------------------------------------------------------------------------------------------------------------------
1. Click Start>Run..., type lusrmgr.msc and click OK
2. In the Users folder, right click the user to bring up the menu, and select Properties.
3. Click over to the Member Of tab, and click Add...
4. Under "Enter the object names to select", add the Distributed COM Users group, click Check Names, then click OK.
5. Click Add...
6. Repeat step 4 for the Performance Monitor Users group.
-------------------------------------------------------------------------------------------------------------------------------
Next, we have to configure the DCOM Security Settings to allow the groups to access the system remotely.
-------------------------------------------------------------------------------------------------------------------------------
7. Click Start>Run..., type dcomcnfg and click OK
8. Drill down into the "Component Services" tree until you get to "My Computer". Right-click "My Computer" to bring up the menu, and click Properties.
9. Click the COM Security tab, then click Edit Limits under the "Launch and Activation Permissions" Section
10. Click Add...
11. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK.
12. Click Add...
13. Under "Enter the object names to select", type Performance Monitor Users, click Check Names, then click OK.
14. Check "Allow" for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK.
-------------------------------------------------------------------------------------------------------------------------------
Finally, we have to set the WMI Control security settings to be applied to all namespaces.
-------------------------------------------------------------------------------------------------------------------------------
15. Click Start>Run..., type wmimgmt.msc and click OK
16. Right-click WMI Control (Local) to bring up the menu, and click Properties.
17. Click over to the Security tab, then click Root, and click the Security button.
18. Click Add...
19. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK.
20. Click Advanced.
21. Highlight the row with Distributed COM Users in it and click "Edit..."
22. From the drop-down list, select "This namespace and subnamespaces"
23. Under the Allow column check "Execute Methods", "Enable Account", and "Remote Enable"
24. Repeat steps 16-23 for the Performance Monitor Users group.
25. Click OK to close all windows.
-------------------------------------------------------------------------------------------------------------------------------
If you are using Windows Server 2003 SP1 or later, you will have to run the following steps to access the Win32_Service class due to a known issue ( Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1 ):
-------------------------------------------------------------------------------------------------------------------------------
26. Open a command prompt (must be invoked in the "Run as administrator" mode).
27. Type the following command at the command prompt and then press Enter:
Code:
sc.exe sdset SCMANAGER "D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
NOTE: Although we have set the Service Control Manager permissions in step 27, the security settings for individual services may have more restrictive permissions, and you would need to set the security using "sc sdset" for the individual service that you wish to query. For example:
Code:
sc.exe sdset <service_name> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Be sure to enclose <service_name> in quotes if the name contains spaces.
28. Log in to the remote machine as non-admin user.
In the command window, type:
Sc sdshow scmanager
The output should look like this:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)
To have more control over this, copy this string into a text editor, such as Notepad.
In the command window, type:
whoami /USER /FO LIST
User information is returned, including the user name and SID.
In a text editor, use this SID to construct a new permission section (where x = the SID):
(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)
Add it to the service permission string you copied earlier into D: section:
Enter the following into the command window:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;LC;;;S-1-5-21-4210608438-308412881-3689030730-1105)(A;;CC;;;AC)
Note: The proper syntax is sc sdset <service> <security> and you should run this command for each service that is not affected by the previous steps.
You should now be able to perform WMI monitoring with the regular user account.
New to ADSelfService Plus?
Related Articles
Setting WMI access through Active Directory and Group Policy Object for non-admin user
In our case, we run Active Directory on Windows 2008 R2 and we want to scan the target machine which is Windows 2012 R2 machine. Our domain is called “APMCLU” and we name our dedicated WMI user-account “wmiuser”. First – Setting done from Active ...Set permissions to Service Control Manager Security for Non-Admin Domain user in Windows Service Monitoring (WMI)
To set user-level permission to a non-admin account to fetch Services from a remote Windows Server, follow the steps given below: 1. Log into the remote Windows Machine with the non-admin account user credentials. 2. Open command prompt in ...Permissions required for Non-Admin user to monitor Microsoft Monitors
1) To enable WMI permissions for the non admin account follow the steps mentioned in the below link. https://pitstop.manageengine.com/portal/en/kb/articles/configuring-non-admin-user-account-for-wmi-monitoring As an alternative to Steps 1-6 in the ...WMI-Configure Non-Admin User Account for WMI based Monitors
1)Add the user(s) in question to the Performance Monitor Users group 2)Run wmimgmt.msc Under Services and Applications, bring up the properties dialog of WMI Control In the Security tab, highlight Root\CIMV2, click Security; add Performance Monitor ...What are the prerequisites required to monitor Hyper-V with Non-Admin user account?
Hyper-V Can be monitored with non admin credentials by following the below steps: Please follow the steps from link below on the Admin account: ...