# Configuring a non-admin user account for WMI

## 1. Steps for Windows 2003 R2 SP2 Server & above versions

You can configure a regular Windows user to access WMI information by adding the regular user account to the Distributed COM Users and the Performance Monitor Users group using `lusrmgr.msc`, and then configuring the DCOM security settings to allow the groups to access the system remotely (using `dcomcnfg`).

**Note:** These configurations are required to be performed in the user profiles of the client devices that are to be monitored.

### Configuring Distributed COM Users in Local User and Groups Setting

![Non admin user account configuration for WMI: Distributed COM Users in Local user and Groups Setting](https://cdn.manageengine.com/network-monitoring/kb/images/non-admin-user-local-user-group-setting.JPG)

To begin with, we are adding the DCOM user group in our local user settings.

1. Click **Start → Run**, type **lusrmgr.msc** and click OK.
2. In the Users folder, right-click the user to bring up the menu, and select **Properties**.
3. Click over to the **Members of** tab, and click **Add**.
4. Under "Enter the object names to select", type **Distributed COM Users** (without quotes), click **Check Names**, then click **OK**.
5. Click **Add**.
6. Repeat steps 3–5 for the **Performance Monitor Users** and **Event Log Readers** group.

### Configuring the DCOM Security Settings to allow the groups to access the system remotely

![Non admin user account configuration for WMI: Configuring the DCOM Security Settings to allow the groups to access the system remotely](https://cdn.manageengine.com/network-monitoring/kb/images/non-admin-user-dcom-security-setting.JPG)

Next, we're providing basic access permissions to the user groups (Distributed COM Users and Performance Monitor Users) to be able to gain control of the device remotely.

7. Click **Start → Run**, type **dcomcnfg** and click OK.
8. Drill down into the **Component Services tree** until you get to **My Computer**. Right-click **My Computer** to bring up the menu, and click **Properties**.
9. Click the **COM Security** tab, then click **Edit Limits** under the **Launch and Activation Permissions** section.
10. Click **Add**.
11. Under "Enter the object names to select", type **Distributed COM Users** (without quotes), click **Check Names**, then click **OK**.
12. Click **Add**.
13. Repeat steps 9–12 for the **Performance Monitor Users** group.
14. Check **Allow** for each of the permissions (**Local Launch, Remote Launch, Local Activation, Remote Activation**) for each of these groups, and click **OK**.

### Setting the WMI Control security settings to be applied to all namespaces

![Non admin user account configuration for WMI: Setting the WMI Control security settings to be applied to all namespaces](https://cdn.manageengine.com/network-monitoring/kb/images/non-admin-user-wmi-control-security-setting.JPG)

Finally, access is provided for all classes under all namespaces for both the user groups, in order to enable OpManager to fetch those data using [WMI monitor](https://www.manageengine.com/network-monitoring/wmi-monitoring.html).

15. Click **Start → Run**, type **wmimgmt.msc** and click OK.
16. Right-click **WMI Control (Local)** to bring up the menu, and click **Properties**.
17. Click over to the **Security** tab, then click **Root**, and click the **Security** button.
18. Click **Add**.
19. Under "Enter the object names to select", type **Distributed COM Users** (without quotes), click **Check Names**, then click **OK**.
20. Make sure the **Distributed COM Users** group is selected, and click **Advanced**.
21. Highlight the row with **Distributed COM Users** in it and click **Edit**.
22. From the **Applies to** drop-down list, select **This namespace and subnamespaces**.

![Non admin user account configuration for WMI: Permission entry for root](https://cdn.manageengine.com/network-monitoring/kb/images/non-admin-user-wmi-control-security-setting-2.JPG)

23. Under the **Allow** column, check **Execute Methods, Enable Account, and Remote Enable**, and then click **OK**.
24. Repeat steps 17–23 for the **Performance Monitor Users** group.
25. Click **OK** to close all windows.

## Set permissions to Service Control Manager Security for Windows Service Monitoring

If you wish to monitor whether Windows Service monitors are up/down, you need to grant permission to SCManager. The access to the Windows services is controlled by the Security Descriptor of Service Control Manager, which by default is restricted for hardened OS. The below mentioned steps will grant remote access to Service Control Manager in user level, to get the list of services on a server.

### Retrieve the user SID of the User Account

1. From the monitored device, open Command Prompt in Administrator mode.
2. Run the below command to retrieve the user SID. Replace `UserName` with the user name for the User account.

```bash
wmic useraccount where name="UserName" get name,sid
```

**Example:**

```bash
wmic useraccount where name="administrator" get name,sid
```

3. Note down the SID. (Ex. `S-1-0-10-200000-30000000000-4000000000-500`)

### Retrieve the current SDDL for the SC Manager

4. Run the below command which will save the current SDDL for the SC Manager to the `CurrentSDDL.txt`.

```bash
sc sdshow scmanager > CurrentSDDL.txt
```

5. Edit the `CurrentSDDL.txt` and copy the entire content.
6. The SDDL will look like below:

```text
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
```

### Update the SDDL

7. Frame new SDDL snippet for above SID:

```text
(A;;CCLCRPWPRC;;;<SID of User>)
```

Example:

```text
(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)
```

8. Now place this snippet before `"S:"` of original SDDL.
9. Updated SDDL will be like this:

```text
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
```

10. Finally execute the below command with updated SDDL:

```bash
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
```

This will grant the following permissions to the user:

- **CC** – To get service's current configuration  
- **LC** – To get service's current status  
- **RP** – To read properties/start the service  
- **WP** – To write properties/stop the service  
- **RC** – To read the security descriptor  

You should now be able to perform WMI monitoring on this Windows host with a regular user account instead of an admin account.