Hello,
for using WMI for Windows montoring (Microsoft Platform protocol) typically a user account with Admin rights is required to allow login and polling of data. In case the usage of an admin account is not allowed due to company security guidelines a custom user account would need to be created with customized access rights to the WMI data paths and the polled components. Most customization can be achieved via policy settings for the user account, but when poling the Windows service list needs to be done we are struggling to find the right approach. There seems to be no policy available to enable this.
There are a lot of discussions available online regarding WMI user configuration without admin rights.
Is there a best practice available for the configuration of the correct rights to poll the service list or some good hints by the DM community?
Hi André,
We recommend executing the following steps for the custom user:
WMI configuration
- To go to WMI Control Properties, go to Start > Run and enter wmimgmt.msc.
- Right-click WMI Control (Local) and select Properties.
- On the Security tab page, go to \\Root\CIMV2 and click the Security button.
- Add your custom user to the list and give the user all rights.
- Apply all.
Also see this guide.
DCOM configuration
- Go to Start > Run and enter dcomcnfg.
- Select My Computer and click the Properties button.
- Go to the tab COM Security.
- Under Launch and Activation Permissions, choose Edit Limits.
- Add your custom user and give the user the Local Launch, Remote Launch and Remote Activation permissions.
- Apply all.
- Restart the WMI services
Note: when you're monitoring Microsoft Servers remotely you'll have to enable a firewall rule with the following command:
netsh firewall set service RemoteAdmin enable
This is an interesting post – when the policies are defined for this WMI user, is it viable to apply these for a domain user? Thinking about admins who deal with multiple clusters where the underlying OS can also be differnt (2016, 2019, … 2022…)
Our current customer confirmed, that they have deployed the settings mentioned by Jens in their policy for their domain user groups (Active Directory). They created a custom script for this and had to add variuos additional configurations:
– add WMI user to local group „Performance Monitor Users” to allow access to Performance Counters
– add WMI user to local group „Event Log Readers“ to allow access to Event Messages Table
– add windows right “Debug Programs” via GPO: Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment“
The only method to allow access to the Windows services would be via GPO: Computer configuration/Policies/Windows Settings/Security Settings/System Services. This however would need to be done on a per service base, which turns out to be incredible effort as this differs for various server groups.
I learned, that most customers use Admin accounts for WMI login, but est. 20% create dedicated users with limited rights. Would it be possible to figure out, what exactly they configured for this user? I believe this would be the easiest way to get a satisfying answer.
I found I was able to query the services after running the following command on the server you’re polling:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
@Alberto it should indeed be possible to use a domain user with GPOs to automatically deploy this on your network. Do note that this user will have a lot of access on your network then, it might be safer to use dedicated accounts instead.
Many thanks for your feedback.
I tried that on a test server (Win Server 2019). I noted, that the mentioned firewall command is deprecated and replaced. The new command can be found here:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
As this didn’t work I used the method via gpedit instead, as explained here:
https://www.manageengine.com/products/desktop-central/enabling-remote-desktop-how-to.html
I was able to login with this test user, but it didn’t poll a lot of WMI data and I found an error when polling group 95 of the Microsoft Platform element:
“Query failed : Retrieving the data failed. (hr = 0x80041003), [WQL: SELECT DisplayName,State,Status,StartMode,Description FROM Win32_Service WHERE Name = ”]”
We were already a bit further with our domain user with customized policies. With this user everything works, except polling the service list. Here we get the same error as above.