DESCRIPTION:

There are 3 ways that I have used to setup permissions to allow WMI to work.
Note: These are all for the situation where the collector and target computers are all in the same Windows domain.

  1. Normally, the easiest setup is to create a separate dedicated user account for monitoring and add it to the ‘domain admins’ group. This works because, by default, the ‘domain admins’ group are in the local ‘Administrators’ group.
  2. Since WMI is designed to be used by a ‘local admin’, you can achieve this by using a GPO (Group Policy Object) method to add a group into the local ‘Administrators’ group on every computer in your domain. Article later.
  3. The lowest permission method I know of involves setting very specific permissions as described below but the user does not even need to be a local admin (except on the collector computer).

 

The downside of method #3 is it takes ~2 minutes to click/configure for each target computer you monitor. I think this could be partially or fully automated using PowerShell or other scripting language but I haven’t found it or built it yet.

 

 

Summary Steps:

Step 1:

On target computer, put your “logicmonitor” user in these local groups:
– Distributed COM users
– Performance Monitoring users

  • note: If you do this, you shouldn’t need to use DCOMcnfg to set permissions.

Step 2:

  • If the computers are on a windows domain, put your “logicmonitor” user in the domain groups called ‘Distributed COM users’, and ‘Performance Monitoring Users’.
  • On the collector computer, put your ‘logicmonitor’ user in the local Administrators group (so the service can install and run properly).

Step 3:

  • On target computer, start ‘Computer Management’  by either running WMImgmt.msc or ‘Control Panel > Administrative Tools > Computer Management’
  • Right click on “WMI control” and click “Properties”
  • Click the “Security” tab
  • Click on “Root” then click the “Security” button
  • Add “logicmonitor” user to the list (or the group “Performance Monitoring users”)
  • Click the permissions checkboxes to allow “Execute methods”, and “Enable account” and “Remote enable”. Click ‘advanced’, then click the user, then click ‘edit’ and set to ‘this namespace and all subs’. Click OK all the way out.

If you’re monitoring Domain Controllers:

Control Panel > Administrative tools > Local Security Policy

  • Once inside, expand Security Settings > Local Policies > User Rights Assignment.
    Assign your new group at least the following rights:
  • Act as part of the operating system
  • Log on as a batch job
  • Log on as a service
  • Replace a process level token

If you want to monitor Windows Services or Processes, you need to give this ‘logicmonitor’ user access permissions to ‘see’ all the services

  1. Show the current permissions with this command:
    C:\>sc sdshow scmanager
    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  2. Get the SID (Security ID) for your user or group.
    I like using the dsquery command because it allows you to copy the long cryptic SID to your clipboard whereas the ADSIedit GUI doesn’t
    C:\>dsquery user -name non-admin | dsget user -sid
    sid
    S-1-5-21-453481523-53804703-39165276-1624
    dsget succeeded
  3. Set the new permissions (note: you must add 1 entry but also include existing permissions).
    Combine your SID with permission settings and your existing permissions shown above into a command to set permissions (as shown in example below)
    SC SDSET SCMANAGER D:(A;;CCLCRPRC;;;S-1-5-21-453481523-53804703-39165276-1624)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  4. Check your work by showing the new permissions with this command:
    C:\>sc sdshow scmanagerD:(A;;CCLCRPRC;;;S-1-5-21-453481523-53804703-39165276-1624)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
    Notice the new permissions are
    CC = SC_MANAGER_CONNECT
    LC = SC_MANAGER_ENUMERATE_SERVICE
    RP = SC_MANAGER_QUERY_LOCK_STATUS
    RC = STANDARD_RIGHTS_READ

Hat tip to John Cardenas at SJwater.com and this article I found

 

 

I suggest you test with WBEMtest on the collector computer.
Make sure you already did the EASY STUFF:
Firewalls are fully off on both computers or open a rule for WMI (remote mgmt)
I suggest that you disable UAC  on both computers (slider at bottom) (changes require a reboot)

Hat tip to this article