Setting up WMI on Target Machines without using an administrator

Last updated on: October 19th, 2021

vScope can use the WMI protocol to inventory Windows OS machines. This also includes Hyper-V machines and the VMM.

  • When setting up a WMI service account for vScope, it is easiest to use permissions of a local administrator on the machine. Using the local Adminstrators group for example.
  • If a domain user is to be used, we recommended using a group in Active Directory that is assigned access, and then adding the domain user to that group.
  • In this guide we’re giving WMI access to an AD group, but the steps could technically be done for a domain or local user.

1. Create group in Active Directory

  1. Create a group called “WMI Access Users” in your Active Directory.

2.  Ensure that the WMI service is running on the machine

  1. Open the command prompt and write “services.msc”
  2. Find the WMI service for your OS, right click and select properties.
  3. Set ‘Startup type’ to ‘Automatic’ and click “start”
  4. Close the window with “OK”

3. Add the AD group to the local default group Distributed COM Users

  1. Open lusrmgr.msc.
  2. Go to groups.
  3. Open “Distributed COM Users” and add the group “WMI Access Users”. Click apply.

4. Setting WMI permissions

  1. Write “wmimgmt.msc”in the command prompt
  2. Right click on “WMI Control” and select properties
  3. Click the ‘Security’-tab.
  4. Mark ‘Root’ in the tree structure and click on Security.
  5. Select “Advanced”.
  6. Click on “Add” and add the AD group by clicking on “Select a principal”.
  7. Under “Applies to:”, ensure it’s set to “This namespace and subnamespaces”.
  8. Check boxes for Execute Methods, Enable Account, Remote Enable och Read Security.
  9. When permissions are set as the image below. Click “OK”.
  10. Click “Apply”, and “OK” to close and save settings in all windows.

5. DCOM-permissions

  1. Open “dcomcnfg”.
  2. Expand ‘Component Services’ –> ‘Computers’, and right-click on ‘My Computer’ and select ‘Properties’
  3. Select the “COM Security” tab and click “Edit Default…” for both “Access Permissions” and “Launch and Activation Permissions”.
  4. Access Permissions. Add “WMI Access Users” group and allow all permissions in the boxes below. Click OK.

  5. Launch and Activation Permission. Add “WMI Access Users” group and allow all permissions in the boxes below. Click OK.
  6. Click “Apply” and OK in all windows to close and save settings.

And that’s it. The AD group, and its users, will now have remote WMI access to the machine.

Optional

If WMI doesn’t work after the previous permission setup it may be because of local settings on the machine. Below are common configurations that may be needed.

Open firewalls for WMI traffic

Enter the following in the command prompt: “netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes”

Turn off UAC

If UAC is not turned off, vScope might have trouble accessing some information.

  1. Access “regedit”.
  2. Change the key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountTokenFilterPolicy” to 1
  3. Close regedit

0 = Remote UAC access token filtering is enabled.
1 = Remote UAC is disabled.

Read more at: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction

Enable RPC permissions on a single target machine:

  1. Run Microsoft Management Console on the target machine (Start|Run|mmc)
  2. Add “Group Policy Object Editor” snap-in (File|Add/Remove Snap-in…|Add…|Group Policy)
  3. Select the “Local Computer” Group Policy Object for which you want to enable RPC
  4. Navigate to: [Group Policy Object]|Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Profile ( for a Domain administered network – Standard Profile for a Workgroup network )
  5. Edit Setting: “Windows Firewall: Allow Remote Administration Exception”
  6. Set “Enabled”.
  7. Set “Allow unsolicited incoming messages from:” to “localsubnet” (without the quotes)
  8. Apply settings
  9. These settings will not generally take effect immediately. You can use Microsoft’s Group Policy Update Utility to force immediate updates.

WMI troubleshooting articles

  • https://support.infrasightlabs.com/troubleshooting/wmi-troubleshoot-access-denied-error/
  • https://support.infrasightlabs.com/troubleshooting/verify-wmi-access-for-a-regular-non-admin-domain-user/

Leave a Reply