|
|||||||
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
06-28-2010, 06:26 PM
|
|||
|
|||
Configuring a regular (non-admin) user account for WMI monitoring
Windows will only allow members of the Administrators or Domain Admin groups to read WMI class information by default. However, you can configure a regular user to access WMI information by performing the following steps on the server that needs to be monitored.
The following steps have been tested with: Windows Server 2003 R2 Service Pack 2 Windows Server 2008 R2 Datacenter ------------------------------------------------------------------------------------------------------------------------------- First, we have to add the regular user account to the Distributed COM Users group and the Performance Monitor Users group. ------------------------------------------------------------------------------------------------------------------------------- 1. Click Start>Run..., type lusrmgr.msc and click OK 2. In the Users folder, right click the user to bring up the menu, and select Properties. 3. Click over to the Member Of tab, and click Add... 4. Under "Enter the object names to select", add the Distributed COM Users group, click Check Names, then click OK. 5. Click Add... 6. Repeat step 4 for the Performance Monitor Users group. ------------------------------------------------------------------------------------------------------------------------------- Next, we have to configure the DCOM Security Settings to allow the groups to access the system remotely. ------------------------------------------------------------------------------------------------------------------------------- 7. Click Start>Run..., type dcomcnfg and click OK 8. Drill down into the "Component Services" tree until you get to "My Computer". Right-click "My Computer" to bring up the menu, and click Properties. 9. Click the COM Security tab, then click Edit Limits under the "Launch and Activation Permissions" Section  10. Click Add... 11. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK. 12. Click Add... 13. Under "Enter the object names to select", type Performance Monitor Users, click Check Names, then click OK. 14. Check "Allow" for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK. ------------------------------------------------------------------------------------------------------------------------------- Finally, we have to set the WMI Control security settings to be applied to all namespaces. ------------------------------------------------------------------------------------------------------------------------------- 15. Click Start>Run..., type wmimgmt.msc and click OK 16. Right-click WMI Control (Local) to bring up the menu, and click Properties. 17. Click over to the Security tab, then click Root, and click the Security button.  18. Click Add... 19. Under "Enter the object names to select", type Distributed COM Users, click Check Names, then click OK. 20. Click Advanced. 21. Highlight the row with Distributed COM Users in it and click "Edit..."  22. From the drop-down list, select "This namespace and subnamespaces" 23. Under the Allow column check "Execute Methods", "Enable Account", and "Remote Enable"  24. Repeat steps 16-23 for the Performance Monitor Users group. 25. Click OK to close all windows. ------------------------------------------------------------------------------------------------------------------------------- If you are using Windows Server 2003 SP1 or later, you will have to run the following steps to access the Win32_Service class due to a known issue (http://support.microsoft.com/kb/907460): ------------------------------------------------------------------------------------------------------------------------------- 26. Open a command prompt (must be invoked in the "Run as administrator" mode). 27. Type the following command at the command prompt and then press Enter: Code:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) Code:
sc sdset <service_name> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) A useful blog post that has more information on modifying security descriptor strings specifically for services can be found here: http://msmvps.com/blogs/erikr/archiv...e-windows.aspx. This link explains the permission bits in more detail. If the computer is joined to an Active Directory domain, the permissions can also be modified via the Group Policy Editor. Please see http://technet.microsoft.com/en-us/l...52(WS.10).aspx for more information. You should now be able to perform WMI monitoring with the regular user account. References: http://msdn.microsoft.com/en-us/library/aa393266.aspx http://support.microsoft.com/kb/325353 http://support.microsoft.com/kb/907460 http://msmvps.com/blogs/erikr/archiv...e-windows.aspx http://technet.microsoft.com/en-us/l...52(WS.10).aspx Last edited by lauraj; 08-18-2010 at 11:04 PM. Reason: adding information 
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Powered by vBulletin® Version 3.8.2
Threaded Mode