Configuring non-administrative user for WMI access

How do I configure a non-administrative user for windows management instrumentation (WMI) access?


If you're a user with administrator privileges on the server to be monitored, then you'll be able to connect to windows management instrumentation (WMI) by default. However, if you're a user with standard privileges, you must configure the user for WMI access.
For this, complete the following steps - 
  1. Create and add the user to the Performance Monitor user group
  2. Allow Windows firewall
  3. Add the user to the DCOM user group

Adding a user to the Performance Monitor user group 

  1. Create a non-administrative user on the server to be monitored.
  2. Next, add the user to the Performance Monitor group in Windows. For this, open the Control Panel and click Administrative Tools
  3. After this, open the Computer Management console.
  4. Here, from the left pane, select Local Users and Groups.
    Selecting Local Users and Groups
    Figure 1. Local Users and Groups.
  5. Then double-click Groups in the center pane. 
  6. Here, select the Performance Monitor Users group.
    Selecting Performance Monitor Users group
    Figure 2. Performance Monitor Users group.
  7. Click More Actions on the right pane and then select Properties
  8. Click Add, then select the users you wish to add to the group or enter their details in the bottom field.
    Select Users, Computers, Service Accounts, or Groups
    Figure 3. Enter user details in 'Select Users, Computers, Service Accounts, or Groups' pop-up.
  9. Once you've added all the users that you want to add, click OK.
  10. Next, open the wmimgmt.msc window.
  11. In the left pane, select WMI Control (Local).
    Select WMI Control(Local)
    Figure 4. WMI Control(Local).
  12. Click More Actions on the right pane, and select Properties.
  13. Then, select the Security tab in the WMI Control (Local) Properties window. 
  14. Select Root, then click Security
    Select Security in WMI Control(Local)
    Figure 5. Selecting 'Security' in WMI Control(Local) Properties.
  15. Select the group or username and then click Add
    Click Add after selecting the group or username
    Figure 6. Clicking 'Add' after selecting the group or username.
  16. In the Enter the Object Names section, enter Performance Monitor Users and then, click Check Names. This will auto populate the group name according to the value that you've entered.
    Enter Performance Monitor Users and click Check Names
    Figure 7. Enter 'Performance Monitor Users' and click Check Names.
  17. Click OK. This will take you back to the Security for Root window. 
  18. Select the Execute Methods, Remote Enable, and Enable Account checkboxes here.
  19. After this, click the Advanced button.
  20. Select the Performance Monitor Users group, and then click Edit.
    Click Edit after selecting Performance Monitor Users Group
    Figure 8. Click Edit after selecting Performance Monitor Users Group.
  21. In the Applies to field, select This namespace and subnamespaces to provide read-only access to the WMI tree. 
    Select 'This namespace and subnamespace'
    Figure 9. Select 'This namespace and subnamespace' in the 'Applies to' field.
  22. Then, click OK till you go back to the WmiMgmt Console.

Allowing Windows Firewall 

If you find that the firewall is blocking the WMI access, you can execute commands through a command prompt to allow access or perform the following actions - 
  1. Open Control Panel on Windows.
  2. Click Windows Defender Firewall.
  3. Then, on the left pane, select Allow an app or feature through Windows Defender Firewall. 
    Select Allow an app or feature through Windows Defender Firewall
    Figure 10. Allow an app or feature through Windows Defender Firewall.
  4. Click Change Settings and then scroll down to Windows Management Instrumentation (WMI).
  5. Here, click the Domain and Private checkboxes. 
    Check Domain and Private checkboxes for WMI
    Figure 11. Selecting 'Domain' and 'Private' checkboxes for WMI.
  6. Click OK. 

Configuring DCOM Access

If any predefined DCOM user group is not being used, perform the following steps for DCOM access:
  1. Open Component Services from Administrative Tools in the Control Panel, or enter dcomcnfg in the Run command.
  2. Click Component Services in the left pane and navigate to Computers> My Computer
  3. Click More Actions on the right pane and open Properties.
    Component Services Properties
    Figure 12. Component Services Properties.
  4. Select the COM Security tab. 
  5. Here, in the Launch and Activate Permissions section, click Edit Limits.
    My Computer Properties
    Figure 13. 'Edit Limits' on My Computer Properties.
  6. Next, in the Launch and Activate Permission window, scroll in the Group or user names section, and click Distributed COM users
  7. Following this, in the Permissions for Distributed COM Users section, ensure all the Allow checkboxes are ticked.
    Launch and Activation Permission Window
    Figure 14. Launch and Activation Permission Window.
  8. Click OK and close all the windows.
Following all these steps ensures you have the appropriate permissions to access WMI from the On-Premise Poller installed machine.
If you've any more queries regarding this, please get in touch with support@site24x7.com.

    • Related Articles

    • Checking WMI reachability

      To check WMI reachability From your On-Premise Poller installed Windows machine, go to Start > Run > wbemtest.exe and run it as an administrator. In the Windows Management Instrumentation Tester screen, click Connect. Enter the following in the ...
    • How are the metrics calculated in agentless server monitoring?

      SNMP server monitoring Metrics such as CPU, Memory, and Disk utilization are collected via SNMP using the OIDs given below: Attribute OID CPU  .1.3.6.1.2.1.25.3.3.1.2 Memory  .1.3.6.1.2.1.25.5.1.1.2 Disk  .1.3.6.1.2.1.25.2.3.1.6 Free Disk Space (MB)  ...
    • How do you enable or disable Management Actions in your Windows server?

      Management Actions can be used to start or stop VM configurations in a Hyper-V server, services in a Windows server, or sites and application pools in an IIS server. These actions can't be performed if Management Actions is disabled in the server ...
    • Security for Site24x7 Agentless Server Monitoring

      How is performance data sent from the user environment to the Site24x7 Data Center? The On-Premise Poller uses a HTTPS connection to send performance data from the user environment to the Site24x7 Data Center.    Do I need to whitelist any ...
    • How do we verify the Site24x7 Windows Server Monitoring Agent script?

      All the scripts and executables in the Site24x7 Windows Server Monitoring Agent are digitally signed.   To verify the digital signature, we compare the certificate name and the serial number of the digital signature associated with the script with ...