RE: HOW TO CONFIGURE WMI ACCESS ON WINDOWS FOR A NON ADMIN USER

community@zenoss.org — Tue, 22 Dec 2009 13:00:56 GMT

This is an excellent write-up. As someone not-at-all-skilled in the mysteries of Windows, some of the commands are pure magic. I implemented this in a test environment with a local (non-Domain) Windows user called zenwmi on a Windows 2003 machine with SP2 applied. Extra comments I would add for those who are not very Windows-literate:

1) Having created the zenwmi user, make sure that the user does not have to change password and that the password doesn't expire.

2) Add the zenwmi user to the built-in Distributed COM Users group

3) In section 2 when giving Enable Account and Remote Enable privilege to the zenwmi user, follow the Microsoft link provided.
"WMI Control" can be accessed either from a command prompt via wmimgmt.msc or from the menus, choose Administrative Tools -> Computer Management -> Services & Applications -> WMI - use the right mouse button and slect Properties. Make sure you give the 2 documented permissions to the CIMV2 class - giving them for root does not help you!

4) In the last 2 steps, there is some magic gobbledegook that includes the string
S-1-5-21-1248577188-10479689-3873521419-99999 - this is actually the SID of your zenwmi user and needs to match your environment. I had no idea how to find the SID but Google came up with a little visual basic script as follows:

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name='zenwmi',Domain='WIN2003'")
Wscript.Echo objAccount.SID

You replace the account name of zenwmi if you are using a different user and the Domain is your domain name or computer name if you are not using a domain.

5) In section 4, I again followed the Microsoft link to modify Local policy. The instructions worked fine. When you get to the part about "Use the Local Group Policy to set your ... Security", in step 2 you want the "Windows Settings" under the "Local Computer Policy" (there was another "Windows Settings" tree somewhere).
The other crucial part is that the Microsoft site only talks about the Application and System logs - for Zenoss to work, you must make the modifications for ALL the logs that the Windows system supports - otherwise you will get some of the error messages documented in the excellent debugging section in this document. Use the Windows Event Viewer to see what logs you have. I had an extra "Internet Explorer" log as well as the Security log so created extra entries for both. Here are my extra lines in sceregvl.inf (they should be 2 lines):

MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecLogSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\Internet Explorer\CustomSD,1,%IELogSD%,2

and (again it should be 2 lines)

SecLogSD="Event log: Specify the security of the security log in Security Descriptor Definition Language (SDDL) syntax"
IELogSD="Event log: Specify the security of the IE log in Security Descriptor Definition Language (SDDL) syntax"

When you get to setting the security policy, the magic string in this document worked fine but do remember to replace the SID with your zenwmi SID.

I needed most of the debugging help at the end of this document because of the mistakes I had made and they worked every time!
There is a small typo in the debugging section to do with SCM permissions. The debugging command should be:

sc sdshow scmanager

Great document! Many thanks.

Cheers,

Jane

RE: HOW TO CONFIGURE WMI ACCESS ON WINDOWS FOR A NON ADMIN USER

community@zenoss.org — Tue, 28 May 2013 18:16:48 GMT

Thank you for this awesome tutorial&howto. As an option for the mentioned vb script you can also run

get the sid of a specific user via WMI query - wmic /namespace:\\root\cimv2 path win32_useraccount where "name='zenwin'" get name, sid

on one of your domain controllers. Replacing 'zenwin' with the name of your user account.

Regards,

Tobias

Wiki : HOW TO CONFIGURE WMI ACCESS ON WINDOWS FOR A NON ADMIN USER : Comments

RE: HOW TO CONFIGURE WMI ACCESS ON WINDOWS FOR A NON ADMIN USER

RE: HOW TO CONFIGURE WMI ACCESS ON WINDOWS FOR A NON ADMIN USER