Configuring non-administrative user for WMI access

How do I configure a non-administrative user for windows management instrumentation (WMI) access?


If you're a user with administrator privileges on the server to be monitored, then you'll be able to connect to windows management instrumentation (WMI) by default. However, if you're a user with standard privileges, you must configure the user for WMI access.
For this, complete the following steps - 
  1. Create and add the user to the Performance Monitor user group
  2. Allow Windows firewall
  3. Add the user to the DCOM user group

Adding a user to the Performance Monitor user group 

  1. Create a non-administrative user on the server to be monitored.
  2. Next, add the user to the Performance Monitor group in Windows. For this, open the Control Panel and click Administrative Tools
  3. After this, open the Computer Management console.
  4. Here, from the left pane, select Local Users and Groups.
    Selecting Local Users and Groups
    Figure 1. Local Users and Groups.
  5. Then double-click Groups in the center pane. 
  6. Here, select the Performance Monitor Users group.
    Selecting Performance Monitor Users group
    Figure 2. Performance Monitor Users group.
  7. Click More Actions on the right pane and then select Properties
  8. Click Add, then select the users you wish to add to the group or enter their details in the bottom field.
    Select Users, Computers, Service Accounts, or Groups
    Figure 3. Enter user details in 'Select Users, Computers, Service Accounts, or Groups' pop-up.
  9. Once you've added all the users that you want to add, click OK.
  10. Next, open the wmimgmt.msc window.
  11. In the left pane, select WMI Control (Local).
    Select WMI Control(Local)
    Figure 4. WMI Control(Local).
  12. Click More Actions on the right pane, and select Properties.
  13. Then, select the Security tab in the WMI Control (Local) Properties window. 
  14. Select Root, then click Security
    Select Security in WMI Control(Local)
    Figure 5. Selecting 'Security' in WMI Control(Local) Properties.
  15. Select the group or username and then click Add
    Click Add after selecting the group or username
    Figure 6. Clicking 'Add' after selecting the group or username.
  16. In the Enter the Object Names section, enter Performance Monitor Users and then, click Check Names. This will auto populate the group name according to the value that you've entered.
    Enter Performance Monitor Users and click Check Names
    Figure 7. Enter 'Performance Monitor Users' and click Check Names.
  17. Click OK. This will take you back to the Security for Root window. 
  18. Select the Execute Methods, Remote Enable, and Enable Account checkboxes here.
  19. After this, click the Advanced button.
  20. Select the Performance Monitor Users group, and then click Edit.
    Click Edit after selecting Performance Monitor Users Group
    Figure 8. Click Edit after selecting Performance Monitor Users Group.
  21. In the Applies to field, select This namespace and subnamespaces to provide read-only access to the WMI tree. 
    Select 'This namespace and subnamespace'
    Figure 9. Select 'This namespace and subnamespace' in the 'Applies to' field.
  22. Then, click OK till you go back to the WmiMgmt Console.

Allowing Windows Firewall 

If you find that the firewall is blocking the WMI access, you can execute commands through a command prompt to allow access or perform the following actions - 
  1. Open Control Panel on Windows.
  2. Click Windows Defender Firewall.
  3. Then, on the left pane, select Allow an app or feature through Windows Defender Firewall. 
    Select Allow an app or feature through Windows Defender Firewall
    Figure 10. Allow an app or feature through Windows Defender Firewall.
  4. Click Change Settings and then scroll down to Windows Management Instrumentation (WMI).
  5. Here, click the Domain and Private checkboxes. 
    Check Domain and Private checkboxes for WMI
    Figure 11. Selecting 'Domain' and 'Private' checkboxes for WMI.
  6. Click OK. 

Configuring DCOM Access

If any predefined DCOM user group is not being used, perform the following steps for DCOM access:
  1. Open Component Services from Administrative Tools in the Control Panel, or enter dcomcnfg in the Run command.
  2. Click Component Services in the left pane and navigate to Computers> My Computer
  3. Click More Actions on the right pane and open Properties.
    Component Services Properties
    Figure 12. Component Services Properties.
  4. Select the COM Security tab. 
  5. Here, in the Launch and Activate Permissions section, click Edit Limits.
    My Computer Properties
    Figure 13. 'Edit Limits' on My Computer Properties.
  6. Next, in the Launch and Activate Permission window, scroll in the Group or user names section, and click Distributed COM users
  7. Following this, in the Permissions for Distributed COM Users section, ensure all the Allow checkboxes are ticked.
    Launch and Activation Permission Window
    Figure 14. Launch and Activation Permission Window.
  8. Click OK and close all the windows.
Following all these steps ensures you have the appropriate permissions to access WMI from the On-Premise Poller installed machine.
If you've any more queries regarding this, please get in touch with support@site24x7.com.

    • Related Articles

    • Validating sender email using DKIM authentication

      What is DKIM? DomainKeys Identified Mail (DKIM) is an advanced authentication method used widely by email service providers to verify the email from the point of its origin by validating the email sender. It allows the email senders to authenticate ...

    • Accessing products via Site24x7

      You can seamlessly access ManageEngine CloudSpend and Site24x7’s sub-products, like Digital Risk Analyzer, StatusIQ, and Toolset, from within your Site24x7 web client. The product switcher , available at the top-right corner of the interface, lets ...