How to deploy wmi namespace security in domain, multlple servers?
- Hi,
I have a process that is doing remote monitoring via wmi. I am fully aware of the setting up the security and allowing dcom remotely.
My question is: is there any way to set WMI Namespace security across a domain or enterprise? I do not want to have to use an domain administrator user account for this monitoring, goes against the least privilege principle.
The only official microsoft way I can find is via wmimgmt.msc (see link http://support.microsoft.com/kb/295292).
It seems that this is very unfriendly to a large organization.
Answers
Hello,
Thank you for your post here.
Agree with Gunner999 that you may count on the WMIC to distribute the WMI security settings onto the domain computers. You may refer to the following links on the script coding.
Set WMI namespace security via GPO (script)
http://blogs.msdn.com/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx
Scripting WMI Namespace Security (part 1 of 3)
http://blogs.msdn.com/wmi/archive/2009/07/20/scripting-wmi-namespace-security-part-1-of-3.aspx
Scripting WMI Namespace Security (part 2 of 3)
http://blogs.msdn.com/wmi/archive/2009/07/24/scripting-wmi-namespace-security-part-2-of-3.aspx
Scripting WMI Namespace Security (part 3 of 3)
http://blogs.msdn.com/wmi/archive/2009/07/24/scripting-wmi-namespace-security-part-3-of-3.aspx
If you have any questions or concerns, please do not hesitate to let me know.
- Marked As Answer byMiles LiMSFT, ModeratorMonday, November 16, 2009 8:03 AM
All Replies
- Per http://msdn.microsoft.com/en-us/library/aa393613(VS.85).aspx
You can also use Windows Management Instrumentation Command-Line (WMIC) to set namespace security. For more information, see wmic.
You can probably write a batch file to do this to all the computers using the the WMIC.
Setting Namespace Security Descriptors
http://msdn.microsoft.com/en-us/library/aa393611(VS.85).aspx - Do you have an example of using wmic to set the security?
The msdn pages are very light on this topic.
I have been all over those links multiple times in the past three days.
- Still waiting on a response. I am still trying to figure out a way to set the wmi security across an enterprise, multiple servers. I have found no working examples of scripts for this type of thing.
Is this something that Microsoft has dropped the ball on? Certainly there must be some way that MS has for managing these settings in a corporate environment?
Is there a better board for this type of question?
Thanks Hello,
Thank you for your post here.
Agree with Gunner999 that you may count on the WMIC to distribute the WMI security settings onto the domain computers. You may refer to the following links on the script coding.
Set WMI namespace security via GPO (script)
http://blogs.msdn.com/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx
Scripting WMI Namespace Security (part 1 of 3)
http://blogs.msdn.com/wmi/archive/2009/07/20/scripting-wmi-namespace-security-part-1-of-3.aspx
Scripting WMI Namespace Security (part 2 of 3)
http://blogs.msdn.com/wmi/archive/2009/07/24/scripting-wmi-namespace-security-part-2-of-3.aspx
Scripting WMI Namespace Security (part 3 of 3)
http://blogs.msdn.com/wmi/archive/2009/07/24/scripting-wmi-namespace-security-part-3-of-3.aspx
If you have any questions or concerns, please do not hesitate to let me know.
- Marked As Answer byMiles LiMSFT, ModeratorMonday, November 16, 2009 8:03 AM
- If you are fine with PowerShell, I just blogged this:
http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/
Karl- Proposed As Answer byKarl Mitschke Monday, November 23, 2009 7:57 PM
This is exactly what I was looking for. Works perfectly as is. I have modified it to process multiple namespaces in another loop since root\rsop does not inherit from root. I’ll also probably put some error handling and verbose logging but this is the perfect start.
MS should add this to their admin scripts, I can’t believe this isn’t a much larger problem that you solved here.
Thanks
