none
Remote WMI query scripts without administrator permissions RRS feed

  • Question

  • Hi,

    is it possible to run remote WMI query scripts with a domain account without administrator permissions on local computers/servers?

    If yes, which permission should this account have on any remote system? 

    Best regards

    Birdal

    Wednesday, November 21, 2018 11:18 AM

All replies

  • Run locally many classes are available to normal users.  You have to try each one to see.


    \_(ツ)_/

    Wednesday, November 21, 2018 11:26 AM
  • Performance Monitor Users this Group on local machines should provide you the access you need. 
    Wednesday, November 21, 2018 5:23 PM
  • Performance Monitor Users this Group on local machines should provide you the access you need. 

    Won't work remotely which is the issue here.


    \_(ツ)_/

    Wednesday, November 21, 2018 5:34 PM
  • Well if this is an ongoing task, you could add a Domain service account to the group using group policy this way this is always available. For example we have scripts that run in scheduled task to report data like WMI. This is a good practice in my opinion instead of people allows using local admin rights or Domain Admin rights. 
    Wednesday, November 21, 2018 7:31 PM
  • This is a topic I'm also trying to figure out but didn't reach an answer that covers everything, but here's what I got so far.

    In general:

    1- The account has to be a member of the "Distributed COM Users" group of the target server.

    2- The account has to have "Enable Account" and "Remote Enable" permissions on the desired WMI namespace (let's say root\cimv2 for now). You can reach the security setting in Computer Management -> Services and Applications -> WMI Control -> Security

    Up to this point you should be able to query basic classes like Win32_ComputerSystem, Win32_OperatingSystem, Win32_LogicalDisk, etc...

    Some WMI classes require more permissions to query:

    To query performance classes like Win32_PerfFormattedData_PerfOS_Memory: The account has to be a member of Performance Monitor Users.

    To query Windows services, the account needs permissions on the Service Control Manager. Only method I found so far for that is to add the correct SDDL to sc.exe sdset scmanager (but make sure to save the current value found at sc.exe sdshow scmanager to be able to revert later if needed)

    Thursday, November 22, 2018 1:29 PM