Configuring a non-admin user account for WMI
Home »

Configuring a non-admin user account for WMI

1. Steps for Windows 2003 R2 SP2 Server & above versions

You can configure a regular Windows user to access WMI information by adding the regular user account to the Distributed COM Users and the Performance Monitor Users group using lusrmgr.msc, and then configuring the DCOM security settings to allow the groups to access the system remotely (using dcomcnfg).

Note: These configurations are required to be performed in the User profiles of the client devices that are to be monitored.

Configuring Distributed COM Users in Local user and Groups Setting:

 

  1. Click Start → Run, type lusrmgr.msc and click OK.
  2. In the Users folder, right-click the user to bring up the menu, and select Properties.
  3. Click over to the Members of tab, and click Add.
  4. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names, then click OK.
  5. Click Add.
  6. Repeat steps 3-5 for the Performance Monitor Users group.

Configuring the DCOM Security Settings to allow the groups to access the system remotely:

 

  1. Click Start → Run, type dcomcnfg and click OK.
  2. Drill down into the Component Services tree until you get to My Computer. Right-click 'My Computer' to bring up the menu, and click Properties.
  3. Click the COM Security tab, then click Edit Limits under the Launch and Activation Permissions section.
  4. Click Add.
  5. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names, then click OK.
  6. Click Add.
  7. Repeat steps 9-12 for the Performance Monitor Users group.
  8. Check Allow for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK.

Setting the WMI Control security settings to be applied to all namespaces:

 

  1. Click Start → Run, type wmimgmt.msc and click OK.
  2. Right-click WMI Control (Local) to bring up the menu, and click Properties.
  3. Click over to the Security tab, then click Root, and click the Security button.
  4. Click Add.
  5. Under 'Enter the object names to select', type 'Distributed COM Users' (without quotes), click Check Names, then click OK.
  6. Make sure the Distributed COM Users group is selected, and click Advanced.
  7. Highlight the row with Distributed COM Users in it and click Edit.
  8. From the 'Applies to' drop-down list, select 'This namespace and subnamespaces'.

    9.  

  9. Under the 'Allow' column, check Execute Methods, Enable Account and Remote Enable, and then click OK.
  10. Repeat steps 17-23 for the Performance Monitor Users group.
  11. Click OK to close all windows.

2. Steps to configure Windows Server 2003 SP1

If you are using Windows Server 2003 SP1, you will have to run the following steps to access the Win32_Service class due to a known issue in Microsoft:

  1. Click Start → Run, type cmd and click OK.
  2. Type the following command at the Command Prompt and then press Enter:

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

You should now be able to perform WMI monitoring on this Windows host with a regular user account instead of an admin account.

 

Video Zone
OpManager Customer Videos
Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
  
  •  IT Admin from "Royal flying doctor service", Australia
     Jonathan ManageEngine Customer
  •  Michael - Network & Tech, ManageEngine Customer
     Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
  •  David Tremont, Associate Directory of Infrastructure,USA
     Todd Haverstock Administrative Director
  •  Donald Stewart, IT Manager from Crest Industries
     John Rosser, MIS Manager - Yale Chase Equipment & Services
Related Products
 Pricing  Get Quote