none
Powershell to add domain user to WMI Security Root with specific permissions. RRS feed

  • Question

  • Basically, trying to add a domain user to the WMI Control Security Root. (Computer management>Services and Applications:WMI Control>Properties>Security Tab>Select "ROOT" & hit Security>Add user with "Remote Enable & Read Security" Permissions. Then press Advanced>Select the user>Edit>Change the dropdown for Applies to' to be This namespace and subnamespaces.

    I know it's a lot but this will have to be done on all our servers.

    Friday, March 4, 2016 10:54 PM

Answers

  • Just wanted to add an update. From the previous script I mentioned I was using to add the user to the WMI security, all I had to do was modify "$ace.AceFlags" to equal 2 which was able to apply the "The namespace and subnamespaces" permission.

    Thanks again.

    • Marked as answer by bb21k Friday, March 11, 2016 3:45 PM
    Friday, March 11, 2016 3:29 PM
  • And what is it that a WMI user does not have that they need?   

    What will be missing is specific permission on objects and resources that WMI has access to.  A WMI user does not have permission to see the details of things like service objects.  This cannot be granted through WMI. You must grant the access on the service controller object directly.

    Very often third parties make incorrect claims of needing access where they do not need access.

    WMI does not override the need for administrative credentials on objects that require these.  The WMIUSer group grants access to the namespaces you referenced.

    What is generally  missing is access to the DCOM bridge to WMI.  Remember that all WMI remote access is through DCOM.  Changing permissions on  the "root" will not alter DCOM.

    If you search through the KBs you will find an article on how to set up contingent remote access to WMI for selected users and how to allow specific access to things like the Service Control Manager.

    Here is one of many articles illustrating the steps required to allow access for performance and monitorying through DCOM/WMI: http://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines

    I am certain that this is what Is being asked for.

    If you look in the Gallery there are some scripts that purport to be able to set this up.  In my experience Group Policy is the only reliable way to enable, this.

    Note that Vista and later use the WMIUsers group in place of some security changes and, I believe that perfmon users are already granted DCOM permissions.


    \_(ツ)_/


    • Edited by jrv Wednesday, March 9, 2016 6:24 PM
    • Marked as answer by bb21k Thursday, March 10, 2016 7:39 PM
    Wednesday, March 9, 2016 6:13 PM

All replies

  • We would do that with Group Policy not with a script.


    \_(ツ)_/

    Saturday, March 5, 2016 1:46 AM
  • Agreed. But i'm still looking at the powershell route. So far the below site has gotten me half way there. Just stuck on editing the Namespace and Subnamespaces change.

    https://live.paloaltonetworks.com/t5/Management-Articles/PowerShell-Script-for-setting-WMI-Permissions-for-User-ID/ta-p/53646

    Monday, March 7, 2016 3:43 PM
  • Agreed. But i'm still looking at the powershell route.

    The problem is that you will need to present a compelling use case because you are asking to script something that doesn't need to be scripted.


    -- Bill Stewart [Bill_Stewart]

    Monday, March 7, 2016 3:49 PM
    Moderator
  • We have a few servers that are not on the domain that we would want to run it on.

    Wednesday, March 9, 2016 3:21 PM
  • What research have you done so far?

    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 9, 2016 3:28 PM
    Moderator
  • On Vista and later there is a group that already does this - WinRMRemoteWMIUsers

    Just add the users to this group.


    \_(ツ)_/

    Wednesday, March 9, 2016 3:35 PM
  • I do see that but that does not control changing the namespace/subnamespace change. Sorry if I'm not explaining this incorrectly.
    Wednesday, March 9, 2016 4:51 PM
  • What is your in tended purpose.  What is it that you need that is not available.

    You DO NOT want to give out administrative level access to system through WMI.  There is never a need to do this.  This leads us to believe that what you are trying to do can be done with normal means. Normally whenever anything seems so hard to do it is because you should not be doing it.


    \_(ツ)_/

    Wednesday, March 9, 2016 4:56 PM
  • We're in the process of having a third party manage our infrastructure, which will be handling monitoring/alerts. We want to monitor additional functions via WMI, which the third party will need additional credentials to enable WMI. They have specific requirements for Windows monitoring via WMI which they've detailed in the above instructions I've mentioned, which will have to be done on all our servers.
    Wednesday, March 9, 2016 5:02 PM
  • And what is it that a WMI user does not have that they need?   

    What will be missing is specific permission on objects and resources that WMI has access to.  A WMI user does not have permission to see the details of things like service objects.  This cannot be granted through WMI. You must grant the access on the service controller object directly.

    Very often third parties make incorrect claims of needing access where they do not need access.

    WMI does not override the need for administrative credentials on objects that require these.  The WMIUSer group grants access to the namespaces you referenced.

    What is generally  missing is access to the DCOM bridge to WMI.  Remember that all WMI remote access is through DCOM.  Changing permissions on  the "root" will not alter DCOM.

    If you search through the KBs you will find an article on how to set up contingent remote access to WMI for selected users and how to allow specific access to things like the Service Control Manager.

    Here is one of many articles illustrating the steps required to allow access for performance and monitorying through DCOM/WMI: http://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines

    I am certain that this is what Is being asked for.

    If you look in the Gallery there are some scripts that purport to be able to set this up.  In my experience Group Policy is the only reliable way to enable, this.

    Note that Vista and later use the WMIUsers group in place of some security changes and, I believe that perfmon users are already granted DCOM permissions.


    \_(ツ)_/


    • Edited by jrv Wednesday, March 9, 2016 6:24 PM
    • Marked as answer by bb21k Thursday, March 10, 2016 7:39 PM
    Wednesday, March 9, 2016 6:13 PM
  • Typically they require SNMP because in the case of regular servers (Not VMs), some of the data they get (Specifically OMSA on Dell) is SNMP-based. They checked the datapoints for other windows servers and everything is coming through WMI. It should be safe to skip SNMP configuration, although WMI does not work out of the box since were using NAT for some of the VMs
    Wednesday, March 9, 2016 6:25 PM
  • If we look at WMI security we will see that "authenticated users" now have all permissions on root\Cimv2.  The control is now with DCOM.  By adding users to the WinRMRemoteWMIUsers group they gain access to the WMI objects.  To actually do monitoring g they also need to be members of the group PerformanceMonitorUsers

    With this set up users can use the CimSession object remotely. 

    To allow users to access WMI via classic WMI remoting you will need to make the DCOM changes.


    \_(ツ)_/

    Wednesday, March 9, 2016 6:31 PM
  • Typically they require SNMP because in the case of regular servers (Not VMs), some of the data they get (Specifically OMSA on Dell) is SNMP-based. They checked the datapoints for other windows servers and everything is coming through WMI. It should be safe to skip SNMP configuration, although WMI does not work out of the box since were using NAT for some of the VMs

    Yes - true of Dell, HP and others using traditional SNMP monitoring tools.  This requires adding the SNMP extensions to WMI.


    \_(ツ)_/

    Wednesday, March 9, 2016 6:33 PM
  • We're in the process of having a third party manage our infrastructure, which will be handling monitoring/alerts. We want to monitor additional functions via WMI, which the third party will need additional credentials to enable WMI. They have specific requirements for Windows monitoring via WMI which they've detailed in the above instructions I've mentioned, which will have to be done on all our servers.

    If the third-party tool requires specific permissions to be set, it's my opinion that their installer should be setting the correct permissions at installation time.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 9, 2016 7:55 PM
    Moderator
  • So are you saying by adding the user to the WinRMRemoteWMIUsers group, that gives the same access as if I were manually changing the WMI security scope of root to "This namespace and subnamespaces"?
    Thursday, March 10, 2016 7:24 PM
  • I cannot tell you how this works here.  There is not enough room for a tutorial.

    You cannot just do what you are trying to do.  It will not work as expected.  I posted links to discussions showing how to enable external, (standard) user accounts to do monitoring.

    I recommend that you obtain a complete set of access requirements and tools required then go to the Management forum and ask how to provision those tools. This must be specific to items and objects to be monitored.  The rest will fall out from there.  If you just want to trash the security on WMI you can do this with Group Policy.  Post in GP forum for instructions.


    \_(ツ)_/

    Thursday, March 10, 2016 7:37 PM
  • Thank you.
    Thursday, March 10, 2016 7:39 PM
  • Thank you.

    You are welcome. I am sorry that the issue is not as trivial as you were led to believe.  Much of the direction on the net is dated to W2K and is no longer valid. Some things may be true in a workgroup but the operation  and authentication methods used in a WS2008 and later domain are much more secure.

    If you look at the WMI security it is already sett to allow all Authenticated users access.  A normal user account can execute nearly all WMI classes with no issue.  They will not be able to execute methods or alter system values. A standard user can access locally but not remotely.  The reason n is that the users/Authenticated do not have remote launch permission.

    Standard users cannot run performance measurements for all objects and this has nothing to do with WMI or DCOM.  The links show you how to set this up.  All of it can be set up with GP which is the preferred method.  If there are variations and gotchas the Management Forum MVPs should be able to advise.


    \_(ツ)_/

    Thursday, March 10, 2016 7:47 PM
  • Just wanted to add an update. From the previous script I mentioned I was using to add the user to the WMI security, all I had to do was modify "$ace.AceFlags" to equal 2 which was able to apply the "The namespace and subnamespaces" permission.

    Thanks again.

    • Marked as answer by bb21k Friday, March 11, 2016 3:45 PM
    Friday, March 11, 2016 3:29 PM
  • Hi,

    Found this post earlier today as I had the same need as the OP.

    Like bb21k, I needed to modify the $ace.AceFlags line to properly allow the inheritance.  I also needed to modify a couple of other lines to correct remote computer access when passing credentials.  I've uploaded my tweaked version to https://gist.github.com/Tras2/06670c93199b5621ce2076a36e86f41e in case it helps anyone else out

    Stuart

    Thursday, June 29, 2017 1:19 PM
  • Agreed. But i'm still looking at the powershell route.

    The problem is that you will need to present a compelling use case because you are asking to script something that doesn't need to be scripted.


    -- Bill Stewart [Bill_Stewart]

    Everything needs to be scripted
    Wednesday, September 11, 2019 8:24 AM