An admin user can configure a regular Windows user to access Windows Management Instrumentation (WMI) information by adding the regular user account to the Distributed COM Users and the Performance Monitor Users group (using lusrmgr.msc
), and then configure the DCOM security settings to allow the groups to access the system remotely (using dcomcnfg
).
Steps for Windows 2003 R2 SP2 Server & Windows 2008 R2 Datacenter:
- Click Start > Run..., type
lusrmgr.msc
and click OK.
- In the Users folder, right click the user to bring up the menu, and select Properties.
- Click on the Member Of tab, and click Add...
- Under "Enter the object names to select", add the Distributed COM Users group, click Check Names, and then click OK.
- Click Add...
- Repeat step 4 for the Performance Monitor Users group. Next, configure the DCOM Security Settings to allow the groups to access the system remotely.
- Click Start > Run..., type
dcomcnfg
and click OK.
- Drill down into the Component Services tree until you get to My Computer. Right-click "My Computer" to bring up the menu, and click Properties.
- Click the COM Security tab, then click Edit Limits under the Launch and Activation Permissions section.
- Click Add...
- Under Enter the object names to select, type Distributed COM Users, click Check Names, then click OK.
- Click Add...
- Under Enter the object names to select, type Performance Monitor Users, click Check Names, then click OK.
- Check Allow for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and click OK.
- Finally, set the WMI Control security settings to be applied to all namespaces.
- Click Start > Run..., type
wmimgmt.msc
and click OK
- Right-click WMI Control (Local) to bring up the menu, and click Properties.
- Click over to the Security tab, then click Root, and click the Security button.
- Click Add...
- Under Enter the object names to select, type Distributed COM Users, click Check Names, then click OK.
- Click Advanced.
- Highlight the row with Distributed COM Users in it and click Edit...
- From the drop-down list, select "This namespace and sub namespaces"
- Under the Allow column check Execute Methods, Enable Account, and Remote Enable.
- Repeat steps 12-17 for the Performance Monitor Users group.
- Click OK to close all windows.
- NOTE: If you are using Windows Server 2003 SP1 or later, you will have to run the following steps to access the Win32_Service class due to a known issue (http://support.microsoft.com/kb/907460).
- Click Start > Run..., type
cmd
and click OK.
- Type the following command at the command prompt and then press Enter:
sc sdset SCMANAGER
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
You can now perform WMI monitoring on this Windows host with a regular user account instead of an admin account.
Alternatively, in simple words:
- Administrative Tools > Component Services > Computers > My Computer > Properties > COM Security
- Access Permissions > Edit Limits > add user + Local Access + Remote Access
- Launch and Activation Permissions > Edit Limits > add user + Local Access + Remote Access
wmimgmt.msc
- On the Security tab, highlight Root/CIMV2, click Security > add user and enable the options: Execute Methods, Enable Account and Remote Enable.
The above permissions work for Windows 2012 as well.
Verify WMI connectivity:
Once the user is able to connect using the WMI test, the DB agent can connect and monitor the data.