DESCRIPTION:
There are 3 ways that I have used to setup permissions to allow WMI to work.
Note: These are all for the situation where the collector and target computers are all in the same Windows domain.
- Normally, the easiest setup is to create a separate dedicated user account for monitoring and add it to the ‘domain admins’ group. This works because, by default, the ‘domain admins’ group are in the local ‘Administrators’ group.
- Since WMI is designed to be used by a ‘local admin’, you can achieve this by using a GPO (Group Policy Object) method to add a group into the local ‘Administrators’ group on every computer in your domain. Article later.
- The lowest permission method I know of involves setting very specific permissions as described below but the user does not even need to be a local admin (except on the collector computer).
The downside of method #3 is it takes ~2 minutes to click/configure for each target computer you monitor. This can be partially or fully automated using PowerShell or other scripting language. See my other blog post.
Summary Steps:
Step 1:
On target computer, put your “logicmonitor” user in these local groups:
– Distributed COM users
– Performance Monitoring users
- note: If you do this, you shouldn’t need to use DCOMcnfg to set permissions.
Step 2:
- If the computers are on a windows domain, put your “logicmonitor” user in the domain groups called ‘Distributed COM users’, and ‘Performance Monitoring Users’.
- On the collector computer, put your ‘logicmonitor’ user in the local Administrators group (so the service can install and run properly).
Step 3:
- On target computer, start ‘Computer Management’ by either running WMImgmt.msc or ‘Control Panel > Administrative Tools > Computer Management’
- Right click on “WMI control” and click “Properties”
- Click the “Security” tab
- Click on “Root” then click the “Security” button
- Add “logicmonitor” user to the list (or the group “Performance Monitoring users”)
- Click the permissions checkboxes to allow “Execute methods”, and “Enable account” and “Remote enable”. Click ‘advanced’, then click the user, then click ‘edit’ and set to ‘this namespace and all subs’. Click OK all the way out.
If you’re monitoring Domain Controllers:
Control Panel > Administrative tools > Local Security Policy
- Once inside, expand Security Settings > Local Policies > User Rights Assignment.
Assign your new group at least the following rights: - Act as part of the operating system
- Log on as a batch job
- Log on as a service
- Replace a process level token
If you want to monitor Windows Services or Processes:
You need to give this ‘logicmonitor’ user access permissions to ‘see’ all the services
Also, in Dec. 2018 I figured out that it’s easier to use Microsoft’s subinacl.exe free command line utility. The R means ‘read only’ permissions.
Run this command from your collector computer where 'my-server' is for each target server. subinacl.exe /service \\my-server\* /grant=my-domain\my-user=ISQL
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
Note: if you plan to use ‘Restart Service’ DataSource, you’ll need to grant F (full) permissions so it can restart the service.
I suggest you test with WBEMtest or WMIC command on the collector computer.
Make sure you already did the EASY STUFF:
- Firewalls are fully off on both computers or open a rule for WMI (remote mgmt)
I suggest that you disable UAC on both computers (slider at bottom) (changes require a reboot) - Hat tip to this article
No comments