Skip to content
DataMiner DoJo

More results...

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
Search in posts
Search in pages
Log in
Menu
  • Updates & Insights
  • Questions
  • Learning
    • E-learning Courses
    • Empower Replay: Limited Edition
    • Tutorials
    • Open Classroom Training
    • Certification
      • DataMiner Fundamentals
      • DataMiner Configurator
      • DataMiner Automation
      • Scripts & Connectors Developer: HTTP Basics
      • Scripts & Connectors Developer: SNMP Basics
      • Visual Overview – Level 1
      • Verify a certificate
    • Video Library
    • Books We Like
    • >> Go to DataMiner Docs
  • Expert Center
    • Solutions & Use Cases
      • Solutions
      • Use Case Library
    • Markets & Industries
      • Media production
      • Government & defense
      • Content distribution
      • Service providers
      • Partners
      • OSS/BSS
    • Agile
      • Agile Webspace
      • Everything Agile
        • The Agile Manifesto
        • Best Practices
        • Retro Recipes
      • Methodologies
        • The Scrum Framework
        • Kanban
        • Extreme Programming
      • Roles
        • The Product Owner
        • The Agile Coach
        • The Quality & UX Coach (QX)
    • DataMiner DevOps Professional Program
      • About the DevOps Program
      • DataMiner DevOps Support
  • Downloads
  • More
    • DataMiner Releases & Updates
    • Feature Suggestions
    • Climb the leaderboard!
    • Swag Shop
    • Contact
    • Global Feedback Survey
  • PARTNERS
    • All Partners
    • Technology Partners
    • Strategic Partner Program
    • Deal Registration
  • >> Go to dataminer.services

WMI User rights

Solved1.46K views26th June 2022Microsoft Platform Windows WMI
3
André Kaiser [DevOps Advocate]532 7th December 2021 0 Comments

Hello,

for using WMI for Windows montoring (Microsoft Platform protocol) typically a user account with Admin rights is required to allow login and polling of data. In case the usage of an admin account is not allowed due to company security guidelines a custom user account would need to be created with customized access rights to the WMI data paths and the polled components. Most customization can be achieved via policy settings for the user account, but when poling the Windows service list needs to be done we are struggling to find the right approach. There seems to be no policy available to enable this.

There are a lot of discussions available online regarding WMI user configuration without admin rights.

Is there a best practice available for the configuration of the correct rights to poll the service list or some good hints by the DM community?

André Kaiser [DevOps Advocate] Selected answer as best 26th June 2022

1 Answer

  • Active
  • Voted
  • Newest
  • Oldest
3
Gellynck Jens [SLC]2.71K Posted 8th December 2021 8 Comments

Hi André,

We recommend executing the following steps for the custom user:
WMI configuration

  1. To go to WMI Control Properties, go to Start > Run and enter wmimgmt.msc.
  2. Right-click WMI Control (Local) and select Properties.
  3. On the Security tab page, go to \\Root\CIMV2 and click the Security button.
  4. Add your custom user to the list and give the user all rights.
  5. Apply all.

Also see this guide.
DCOM configuration

  1. Go to Start > Run and enter dcomcnfg.
  2. Select My Computer and click the Properties button.
  3. Go to the tab COM Security.
  4. Under Launch and Activation Permissions, choose Edit Limits.
  5. Add your custom user and give the user the Local Launch, Remote Launch and Remote Activation permissions.
  6. Apply all.
  7. Restart the WMI services

Note: when you’re monitoring Microsoft Servers remotely you’ll have to enable a firewall rule with the following command:

netsh firewall set service RemoteAdmin enable

André Kaiser [DevOps Advocate] Selected answer as best 26th June 2022
André Kaiser [DevOps Advocate] commented 8th December 2021

Many thanks for your feedback.

I tried that on a test server (Win Server 2019). I noted, that the mentioned firewall command is deprecated and replaced. The new command can be found here:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
As this didn’t work I used the method via gpedit instead, as explained here:
https://www.manageengine.com/products/desktop-central/enabling-remote-desktop-how-to.html

I was able to login with this test user, but it didn’t poll a lot of WMI data and I found an error when polling group 95 of the Microsoft Platform element:
“Query failed : Retrieving the data failed. (hr = 0x80041003), [WQL: SELECT DisplayName,State,Status,StartMode,Description FROM Win32_Service WHERE Name = ”]”

We were already a bit further with our domain user with customized policies. With this user everything works, except polling the service list. Here we get the same error as above.

Alberto De Luca commented 9th December 2021

This is an interesting post – when the policies are defined for this WMI user, is it viable to apply these for a domain user? Thinking about admins who deal with multiple clusters where the underlying OS can also be differnt (2016, 2019, … 2022…)

André Kaiser [DevOps Advocate] commented 9th December 2021

Our current customer confirmed, that they have deployed the settings mentioned by Jens in their policy for their domain user groups (Active Directory). They created a custom script for this and had to add variuos additional configurations:

– add WMI user to local group „Performance Monitor Users” to allow access to Performance Counters
– add WMI user to local group „Event Log Readers“ to allow access to Event Messages Table
– add windows right “Debug Programs” via GPO: Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment“

The only method to allow access to the Windows services would be via GPO: Computer configuration/Policies/Windows Settings/Security Settings/System Services. This however would need to be done on a per service base, which turns out to be incredible effort as this differs for various server groups.

I learned, that most customers use Admin accounts for WMI login, but est. 20% create dedicated users with limited rights. Would it be possible to figure out, what exactly they configured for this user? I believe this would be the easiest way to get a satisfying answer.

Gellynck Jens [SLC] commented 9th December 2021

I found I was able to query the services after running the following command on the server you’re polling:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Gellynck Jens [SLC] commented 9th December 2021

@Alberto it should indeed be possible to use a domain user with GPOs to automatically deploy this on your network. Do note that this user will have a lot of access on your network then, it might be safer to use dedicated accounts instead.

Show 3 more comments
Please login to be able to comment or post an answer.

My DevOps rank

DevOps Members get more insights on their profile page.

My user earnings

0 Dojo credits

Spend your credits in our swag shop.

0 Reputation points

Boost your reputation, climb the leaderboard.

Promo banner DataMiner DevOps Professiona Program
DataMiner Integration Studio (DIS)
Empower Katas
Privacy Policy • Terms & Conditions • Contact

© 2025 Skyline Communications. All rights reserved.

DOJO Q&A widget

Can't find what you need?

? Explore the Q&A DataMiner Docs