locked
Group Policy to Allow WMI Access to Remote Machine RRS feed

  • Question

  • Hello Everyone,

                          I need to know whether a group policy exists to configure WMI Access to all the remote machines.  I would appreciate if you guys can provide the direction. Thanks in advance.

    Sunday, May 22, 2011 8:00 PM

Answers

  • I was looking for the same thing (it is a shame no one seems to be able to read or understand your original question!)

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/84c78946-eb05-4068-877d-489153419d13/

    Make sure you are editing your group policy object from a Windows 7 or Server 2008 R2 machine to ensure you are editing the policy with the same client-side extension present.

    1. Edit the group policy object you wish to put these settings into.
    2. Expand the Computer Config > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules node.
    3. Right-click in the working area and choose New Rule...
    4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list, Next.
    5. There are a number of options here, but I tend to just select one: the (WMI-In) option with the Domain profile value. If you aren't sure what you need, then just remember you can come back and add the others later. Next button.
    6. Allow the connection > Finish.

    Tuesday, August 2, 2011 8:24 PM

All replies

  • No, actually i am asking about WMI (Windows Management Instrumentation) .  How can one enable that on client machines through group policy.  Thanks.
    Monday, May 23, 2011 2:21 PM
  • Hello!
    Tuesday, May 24, 2011 1:32 PM
  • Hi,

     

    Windows Management Instrumentation (WMI) service is started on clients by default. If you still want to start it via Group Policy, you will have following two options:

     

    1.    Startup or Logon scripts

     

    You may use net start command to start the services. For more information, please refer to the following Microsoft TechNet articles:

     

    Start, stop, pause, resume, or restart a service

    http://technet.microsoft.com/en-us/library/cc736564(WS.10).aspx

     

    Startup, shutdown, logon, and logoff scripts

    http://technet.microsoft.com/en-us/library/cc739591(WS.10).aspx

     

    If you encounter any difficulties when writing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

     

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

     

    2.    Group Policy Preference: Services

     

    If you are using Windows Server 2008 or Windows Server 2008 R2 Domain Controller, you may use Group Policy Preference: Services.

     

    If no Windows Server 2008 or Windows Server 2008 R2 Domain Controller is in use, you can configure a Group Policy Preference item in a Windows Server 2003 environment from either a Windows Server 2008/R2 server or a Windows Vista with Service Pack 1/Windows 7 client with RSAT update installed. If you do not have Windows Server 2008/R2 server, you can download and install Remote Server Administration Tools on a Windows Vista or Windows 7 client to manage and configure them.

    Microsoft Remote Server Administration Tools for Windows Vista 
    http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en


    Remote Server Administration Tools for Windows 7 

    http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

    The CSEs for the new Group Policy preference functionality are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and Windows Vista to process the new preference items. To download and install CSEs, please refer to the following link:

     

    Information about new Group Policy preferences in Windows Server 2008

    http://support.microsoft.com/kb/943729

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, May 25, 2011 7:37 AM
  • Thanks for the reply.

    I believe I have not explained my question properly.  Actually, I wanted to remotely administer WMI for all the clients.  As you explained, it is enabled by default, but due to firewall settings, it is not possible.  So, I was looking for a group policy or port settings that can be enabled on the windows firewall which would allow access to WMI to all the clients.  I have found a group policy which is

    Computer Configuration

    Administrative Templates

    Network

    Network Connections

    Windows Profile

    Domain/Standard Profile

    Windows Firewall:  Allow Remote Administration Exception

     

    Kindly, confirm that for me that it is exactly what I need.  Thanks in advance.

     

    • Proposed as answer by GBPomper Thursday, August 20, 2015 2:44 AM
    Saturday, May 28, 2011 8:32 PM
  • Hi,

     

    Please check the following Microsoft TechNet article:

     

    Setting Up a Fixed Port for WMI

    http://technet.microsoft.com/en-us/library/bb219447(v=VS.85).aspx 

     

    You may use the startup script to deploy the port to the clients.

     

    After that, you may use the Group Policy to set Windows Firewall: Define port exceptions to open the port for WMI. For more information, please also refer to the following Microsoft TechNet article:

     

    Deploying Windows Firewall Settings With Group Policy

    http://technet.microsoft.com/en-us/library/bb490626.aspx

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, May 30, 2011 2:48 AM
  • I will definitely go through the article, but is the policy stated above not enough for my objective.  Kindly, confirm.  THanks.
    Monday, May 30, 2011 12:33 PM
  • Good day to you all.  Any thoughts on my question.
    Tuesday, May 31, 2011 10:29 AM
  • Good day to you all.  Any thoughts on my question.
    Thursday, June 2, 2011 7:54 PM
  • I hope I am not bugging too much, but I really want to know the answer.  Kindly, have a look at my query..  Thanks.
    Monday, June 6, 2011 9:53 AM
  • Hello All, Any update on this.  Thanks in advance.
    Sunday, June 12, 2011 5:16 PM
  • IMO it is time for you to call CSS, for all of you questions,  you have posted 7 different posts today, that say the exact same thing! “Hello All, Any update on this.  Thanks in advance.”  

     

    To make matter worse you have done it multiply time for multiply post and people are not replying to you.

     

    You where politely told within http://social.technet.microsoft.com/Forums/en-US/configmgrsum/thread/85b17ed3-7aef-4174-8b4c-2cbcca5c76cf/#31633a93-db03-4bf3-ad75-a824889f0726 not to bump your messages but you still do it. This post has  5 “bump” message http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/a2f2abb3-35f6-4c1a-beee-d09f311b4507/#fb0b7a68-5901-4e18-922f-350678e5d70a

     

    You need to read this KB http://support.microsoft.com/kb/555375 and you need to call CSS.

    Sunday, June 12, 2011 5:52 PM
  • Hello There.  Well noted.  I will be careful, but there has never been any mal intention.  Most of my questions are direct questions.  Even if you closely at this question, I am just confirming whether it is right or wrong, but instead i have been provided with different answer.  But, at the same time I appreciate the platform and experts who take time and answer queries.  Cheers.
    • Proposed as answer by GerardD Tuesday, August 2, 2011 8:22 PM
    • Unproposed as answer by GerardD Tuesday, August 2, 2011 8:22 PM
    Friday, June 17, 2011 6:58 PM
  • I was looking for the same thing (it is a shame no one seems to be able to read or understand your original question!)

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/84c78946-eb05-4068-877d-489153419d13/

    Make sure you are editing your group policy object from a Windows 7 or Server 2008 R2 machine to ensure you are editing the policy with the same client-side extension present.

    1. Edit the group policy object you wish to put these settings into.
    2. Expand the Computer Config > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules node.
    3. Right-click in the working area and choose New Rule...
    4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list, Next.
    5. There are a number of options here, but I tend to just select one: the (WMI-In) option with the Domain profile value. If you aren't sure what you need, then just remember you can come back and add the others later. Next button.
    6. Allow the connection > Finish.

    Tuesday, August 2, 2011 8:24 PM
  • Thanks Gerard - It is nice to get a straight answer - and the right one as well.
    Friday, May 4, 2012 9:38 AM
  • Thanks GerardD. Simple and clear answer. Very useful.

    Pat

    Monday, July 9, 2012 3:10 PM
  • Hi

    Try to run this command on client

    netsh firewall set service RemoteAdmin enable

    If you have access to WMI after that you can distribute this using login script to all clients


    Best regards
    Dubravko Marak
    MCP
    Blog: Windows Server Administration
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, July 13, 2012 8:18 AM
  • This is the correct answer.  Thank You GerardD.

    After setting up a group policy, I can now use Spiceworks to inventory all of the desktop PCs on my network.  Spiceworks uses the WMI protocol for discovery and inventory.

    Friday, February 22, 2013 1:24 AM
  • Proposed by Gerard policу does not work for me.
    I run the following command
    $a = gwmi win32_bios -comp 140-pc
    and get the error:

    gwmi : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

    what data I should to provide in order to solve the problem

    help me please

    Tuesday, September 10, 2013 12:58 PM