none
Non-administrator access to WMI over CIMSession RRS feed

  • Question

  • I am attempting to setup remote system monitoring using CimSessions and CimInstances in Powershell. I am using a Windows Server 2012 R2 server as my remote target.

    I added my monitoring user account to the local group SERVER\WinRMRemoteWMIUsers__ and also went into WMI Control and granted 'Remote Enable' rights to this group on Root\cimv2 (used this blog post as a reference: http://www.sevecek.com/Lists/Posts/Post.aspx?ID=280).

    I can create a New-CimSession but when I attempt to perform a trivial get (e.g. Get-CimInstance -CimSession $cimSession -ClassName Win32_Service) I get an 'access denied' error (Get-CimInstance : The WS-Management service cannot process the request. The WMI service returned an 'access denied' error.) 

    If I run the same cmdlets as an administrator on the remote server, they succeed.

    What is the proper process for granting Remote WMI rights to a non-admin account? I do not require admin rights for my monitoring user.


    Thanks.


    Wednesday, January 21, 2015 4:00 PM

Answers

  • WMI permissions are controlled through DCOM.

    If you don't want to mess with the DCOM permissions, you can set up a constrained delegated session, and grant the non-admin user permission to use that session.  You can set constraints on the session so that they can only run the Get-CimInstance cmdlets, or any other cmdlets, functions, or scripts that you specify, and then have the commands run under a set of delegated admin credentials.

    http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/03/use-delegated-administration-and-proxy-functions.aspx


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "



    • Edited by mjolinorModerator Wednesday, January 21, 2015 4:31 PM
    • Marked as answer by AaronRMN Thursday, January 22, 2015 7:57 PM
    Wednesday, January 21, 2015 4:27 PM
    Moderator
  • So I think I was able to answer my own question. Besides making changes 1 and 2 above for granting security rights, there was an additional step to be able to query Win32_Service and CIM_Service. I found the answer in this post: 

    http://stackoverflow.com/questions/3917477/granting-remote-user-non-admin-the-ability-to-enumerate-services-in-win32-serv

    From an elevated command prompt, I had to run the following:

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    After that, I could remotely query Win32_Service and CIM_Service.

    • Marked as answer by AaronRMN Thursday, January 22, 2015 5:33 PM
    Thursday, January 22, 2015 5:33 PM

All replies

  • WMI permissions are controlled through DCOM.

    If you don't want to mess with the DCOM permissions, you can set up a constrained delegated session, and grant the non-admin user permission to use that session.  You can set constraints on the session so that they can only run the Get-CimInstance cmdlets, or any other cmdlets, functions, or scripts that you specify, and then have the commands run under a set of delegated admin credentials.

    http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/03/use-delegated-administration-and-proxy-functions.aspx


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "



    • Edited by mjolinorModerator Wednesday, January 21, 2015 4:31 PM
    • Marked as answer by AaronRMN Thursday, January 22, 2015 7:57 PM
    Wednesday, January 21, 2015 4:27 PM
    Moderator
  • I will take a look at both options and let you know the results. Thanks for the reply.
    Wednesday, January 21, 2015 8:01 PM
  • So I made some progress. Here is what I have done to enable SOME remote WMI capability via WinRM:

    1. Added user account to local group WinRMRemoteWMIUsers__ on remote server.
    2. Via WMI Control mmc snapin, granted group local group WinRMRemoteWMIUsers__ Remote Enable rights to Root namespace and all child namespaces.

    This allows me to connect and successfully run a majority of Get-CimInstance commands, e.g.

    • Get-CimInstance -ComputerName RemoteServer -ClassName Win32_ComputerSystem
    • Get-CimInstance -ComputerName RemoteServer -ClassName Win32_LocalTime

    However, some classes will give me an 'Access Denied' error (yet work as an Admin), like:

    • Get-CimInstance -ComputerName RemoteServer -ClassName Win32_Service
    • Get-CimInstance -ComputerName RemoteServer -ClassName CIM_Service

    It may even just be the 'Service' classes, but I am not sure.


    • Edited by AaronRMN Thursday, January 22, 2015 4:59 PM
    Thursday, January 22, 2015 4:58 PM
  • Not sure about the internals, but if retrieving the instances relies on, e.g. the Service Control Manger for service, there may be additional permission levels involved.

    The remote delegated session solution would solve all of these issues, since the command would be executed under the authority of an actual admin account.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "


    Thursday, January 22, 2015 5:30 PM
    Moderator
  • So I think I was able to answer my own question. Besides making changes 1 and 2 above for granting security rights, there was an additional step to be able to query Win32_Service and CIM_Service. I found the answer in this post: 

    http://stackoverflow.com/questions/3917477/granting-remote-user-non-admin-the-ability-to-enumerate-services-in-win32-serv

    From an elevated command prompt, I had to run the following:

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    After that, I could remotely query Win32_Service and CIM_Service.

    • Marked as answer by AaronRMN Thursday, January 22, 2015 5:33 PM
    Thursday, January 22, 2015 5:33 PM
  • Yes, I spoke too soon regarding the Service Control Manager permission change. It let me see some services, but some had their own permissions which would need to be individually changed.

    I will explore the delegated endpoint concept. Thanks!

    Thursday, January 22, 2015 7:57 PM