Support

0

How do I configure WMI users for discovery?

Avatar
Jamie Conner

I need to create or manage WMI users for Hyperview to successfully discover all protocol information about my machines. What is the minimum level access that can be setup for WMI?

Avatar
Discard
1 Answer
0
Avatar
Jamie Conner
Best Answer

Configuring a read-only local user for WMI on single machine:

1. Open Computer Management (compmgmt.msc) and navigate to System Tools > Local Users and Groups > Users. Add a new User. Set the password and check the box for 'Password never expires' if needed.

2. Right-Click the new user and open Properties. Open the 'Member-Of' tab and add the user to 'Distributed COM Users' and 'Performance Monitor Users' groups.

3. Add the new user to Computer Management > Services and Applications > WMI Control > Properties > Security Tab > CIMV2 > Security. Check the boxes for 'Enable Account' and 'Remote Enable'.


 

Configuring a read-only domain user for WMI on domain controller:

 

IMPORTANT!

A Windows Domain Controller GPO cannot define root/CIMV2 namespace privileges for domain users.

 

This setup requires a powershell script defined in the GPO. This script is available through Hyperview Helpdesk.

 

1. Open Active Directory Users and Computers from Server Manager and navigate to 'DomainName' > Users. Right-Click Users > New > User and add a new user meant for WMI read-only access. This is the user that will be entered into Hyperview upon configuring discoveries.


 

2. Right-Click the new user and open Properties. Open the 'Member-Of' tab and add the user to 'Distributed COM Users' and 'Performance Monitor Users' groups.


 

3. Open the Group Policy Management applet. Expand Forest > Domains. Right-Click on the domain and click “Create a GPO in this domain, and link it here…”


4. Select the new GPO. In the Security Filtering section of the Scope tab Add the new user to it.



5. Select the new GPO. Open the Delegation tab and add the new user to it.



6. Right-click the new GPO and select Edit to open the Group Policy Management Editor. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules. Right-Click Inbound Rules and Select New Rule… In the New Inbound Rule Wizard select Predefined. Choose Windows Management Instrumentation (WMI) from the drop-down list and click Next. Check all three WMI inbound rules then click Next. Select Allow the Connection and click Finish.



7. Download the Set-WMINameSpaceSecurity.ps1 script attached to this document, or contact Hyperview support for the file. Move it to the Domain Controller in the following file location.

‘\\{yourForest}\SysVol\{yourDomain}\Policies\{yourPolicyID}\Machine\Scripts\Startup’

 

8. In the Group Policy Management Editor for the new GPO, navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown). Double-click Startup to open the properties. Select the PowerShell Scripts tab. Click Add and locate the Set-WMINameSpaceSecurity.ps1 script. Enter your new ‘DOMAIN\USERNAME’ in the Script Parameters field.



9. If you have security enhanced inherited GPOs, then the DCOM security may need to be reconfigured. In the Group Policy Management Editor for the new GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Find the two policies for “DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax” and “DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax”. Edit the Template Security Policy Setting for both. Check the box for “Define this policy setting”, then add the new WMI user to their security descriptors. Ensure all security permission options are enabled.



10. Based on your domain configuration, the new GPO will be rolled out on a schedule, upon restart, or upon running “gpupdate /force” via CMD on domain machines.

 


Avatar
Discard