WMI – Local and domain account considerations

Account interpretation ambiguity can be a reason for getting Access Denied when scanning a system using WMI. This can happen when credentials in vScope are specified without domain.

This is why we always recommend the following when using domain and local accounts.

When using domain accounts, use the following syntax for your WMI credentials:

  • domain\username

When using local accounts, use the following syntax:

  • .\username

Specifying “.” as domain will interpret the credential as a local account.

Always use the notation above to be sure that your credentials are mapped to the correct account. Specifying a local account simply as ‘username‘ is ambiguous.

Consider the following scenario where the credential ‘username‘ will fail:

  • vScope machine part of domain ‘domain1
  • Target machine part of domain ‘domain1

Result: FAIL, ‘username‘ will be mapped to the domain accountdomain1\username‘ and NOT the local account ‘username‘.

A slightly different scenario where the credential will succeed:

  • vScope machine not part of any domain
  • Target machine part of domain ‘domain1

Result: OK, ‘username’ will be mapped to the local account.\username‘ on the target machine.

Solution: Explicitly specifying local accounts as ‘.\username‘ will eliminate any ambiguity.

Leave a Reply