- When setting up WMI-rights in vScope’s Credentials manager, it is easiest to use an administrator user. But use a local admin account for best practice. This minimizes the risk of not being able to access the target machines.
- When using a local admin user on target machines, or if the machines where vScope is installed is not on the same domain, then you might need to follow the below instructions.
- If a local domain user is to be used, it is recommended to create a dedicated WMI-user as described under (1.) below.
- If an existing user or domain user is used, then make certain that all access rights under points (3.) and (4.) below are valid for that group, even if it is administrator.
1. Create user
- Open User account settings in the Control Panel
- Create a user called “vscope-wmi-user” and a password
2. Start the WMI service
- Open the command prompt and write “services.msc”
- Find ‘Windows Management Instruction’. Right click and select properties
- Set ‘Startup type’ to ‘Automatic’ and click “start”
- Close the window with “OK”
3. Setting WMI permissions
- Write “wmimgmt.msc”in the command prompt
- Right click on “WMI Control” and select properties
- Click the ‘Security’-tab.
- Mark ‘Root’ in the tree structure and click on Security
- Click ‘Add..’ and write vscope-wmi-user under ‘Enter the object names to select’ and hit enter. the user is now added.
- Check boxes for Execute Methods, Enable Account, Remote Enable och Read Security under ‘Permissions for WMI’
- Make sure the wmi-user is marked and select Advanced
- Under the ‘Permissions’-tab, mark the new ‘wmi’-user end select ‘Edit..’. Change ‘Apply to’ to ‘This namespace and subnamespaces’. Click “OK”
- Click OK to close and save settings in all windows
- Write ‘dcomcnfg’ in the command prompt
- Expand ‘Component Services’ –> ‘Computers’, and right-click on ‘My Computer’ and select ‘Properties’
- Select the DCOM Security-tab. Click ‘Edit Limits…’ under both ‘Access Permissions’ and ‘Launch and Activation Permissions’. Then do the following:
- Click ‘Add…”, and enter ‘vscope-wmi-user’ under ‘Enter the object names to select’ and hit enter. The user ‘vscope-wmi-user’ is now added
- Check boxes for all permissions under ‘Permissions for ‘vscope-wmi-user’
- Click OK in all windows to close and save settings
5. Open firewalls for WMI traffic
Enter the following in the command prompt: “netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes”
6. Turn off UAC
It is recommened to turn UAC off. If not turned off, vScope might have trouble accessing some information.
- Write ‘regedit’ in the command prompt
- Change the key ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountTokenFilterPolicy’ to 1
- Close regedit
0 = Remote UAC access token filtering is enabled.
1 = Remote UAC is disabled.
7. Enable RPC permissions on a single target machine:
- Run Microsoft Management Console on the target machine (Start|Run|mmc)
- Add “Group Policy Object Editor” snap-in (File|Add/Remove Snap-in…|Add…|Group Policy)
- Select the “Local Computer” Group Policy Object for which you want to enable RPC
- Navigate to: [Group Policy Object]|Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Profile ( for a Domain administered network – Standard Profile for a Workgroup network )
- Edit Setting: “Windows Firewall: Allow Remote Administration Exception”
- Set “Enabled”.
- Set “Allow unsolicited incoming messages from:” to “localsubnet” (without the quotes)
- Apply settings
- These settings will not generally take effect immediately. You can use Microsoft’s Group Policy Update Utility to force immediate updates ( see Microsoft’s article: “A Description of the Group Policy Update Utility” )
8. Additional information
Connecting to WMI Remotely Starting with Windows Vista
User Account Control and WMI
Securing a Remote WMI Connection