Tag Archive: WMI


Which permissions rights does a user need to have WMI access on remote Machines:

http://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines

The following works on Window 2003 R2 SP 2, Windows Server 2012 R2:

Add the user(s) in question to the Performance Monitor Users group
Under Services and Applications, bring up the properties dialog of WMI Control (or run wmimgmt.msc).

In the Security tab, highlight Root/CIMV2, click Security; add Performance Monitor Users and enable the options : Enable Account and Remote Enable
Run dcomcnfg.

At Component Services > Computers > My Computer, in the COM security tab of the Properties dialog click “Edit Limits” for both Access Permissions and Launch and Activation Permissions.

Add Performance Monitor Users and allow remote access, remote launch, and remote activation.
Select Windows Management Instrumentation under Component Services > Computers > My Computer > DCOM Config and give Remote Launch and Remote Activation privileges to Performance Monitor Users Group.

Notes:

As an alternatively to step 3 and 4, one can assign the user to the group Distributed COM Users (Tested on Windows Server 2012 R2)
If the user needs access to all the namespaces, you can set the settings in 2. at the Root level, and recurse the permissions to the sub-namespaces via the Advanced window in Security

 

Other method with dcomperm and wmisecurity with a dedicated group called myDomain\wmiquery-users :

dcomperm -ma set myDomain\wmiquery-users permit level:l,r

dcomperm -ml set myDomain\wmiquery-users permit level:ll,la,rl,ra

dcomperm -dl remove myDomain\wmiquery-users permit level:ll,la,rl,ra

WmiSecurity /C=$Env:COMPUTERNAME /A /N=Root /M=”myDomain\wmiquery-users:REMOTEACCESS_EXECMETHODS” /R

WmiSecurity /C=$Env:COMPUTERNAME /A /N=Root /M=”myDomain\wmiquery-users:REMOTEACCESS_EXECMETHODS” /R

 

Advertisements

WMI is the implementation of Microsoft.

For Unix world, cf. CIM (common information model) and WBEM specifications: http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management

 

The objective is to allow WMI queries on a computer for a non-admin user/group ?

the group to allow is mydomain\wmiquery-users

the scripts requires, dcomperm.exe and wmisecurity.exe

Authorize WMI users and set Permissions on Win7, Win2008 R2:http://technet.microsoft.com/en-us/library/cc771551.aspx

example of PS code:http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Download the wmisecurity.exe from codeproject site:http://www.codeproject.com/KB/system/WmiSecurity.aspx

Download the dcomperm.exe from: http://cid-62b84429c3a8a991.skydrive.live.com/self.aspx/SharePoint/DComPerm.zip

 1st step: Set up DCOM permissions:

@echo off
CLS
echo.
echo Windows computers – Set up DCOM Permissions – Oct 2011
echo __________________________________________________________________________________
echo.
==========================================================================>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Show current DCOM permissinos – current values on %computername% BEFORE…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% BEFORE…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
pause
echo.
echo ————————————————————————
echo Set new DCOM permissions – new values on %computername%…
echo Set machine access permission list…
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r
echo Set machine launch permission list…
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo Set machine default permission list…
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo.
echo Set new DCOM permissions – new values on %computername%…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
echo ————————————————————————-
echo Show current DCOM permissinos – current values on %computername% AFTER…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% AFTER…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
goto end
:end

2nd step: Set up WMI Security:

@echo off
CLS
echo.
echo Windows computers – Set up WMI Security – Oct 2011
echo _________________________________________________________________________
echo.
echo ————————————————————————————->.\logs\Set-WMISecurity_%computername%.txt
echo Set up WMI Security on %computername%…>>.\logs\Set-WMISecurity_%computername%.txt
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R >>.\logs\Set-WMISecurity_%computername%.txt

goto end
:end

http://www.powershellpro.com/powershell-tutorial-introduction/powershell-scripting-with-wmi/