Friday, February 28, 2014

Remote WMI security via GPO

I recently wanted to create a limited access user account for accessing WMI remotely on servers. 
I came across this blog post for deploying the WMI security via GPO and a script.

Unfortunately this wasn't the entire pictures for me with either Server 2008 R2 or 2012.  (in addition I found that it's important to ensure that propogation is set properly before deploying)

To get it to work for me I had to do the following extra steps:
  1. When setting the security, in order to get propagation, I had to click add permissions via the following steps
    1. Do this before you retrieve the security descripter
    2. Click Security Tap
    3. select the level (ie root)
    4. click Security
    5. click Advanced
    6. Click Add
    7. ensure that the Apply to: is set to "This namespace and subnamespaces" is selected
  2. I also had to put the user in the "Performance Log users" security group.  This can be done in GPO or at the local level.  For GPO:
    1. Open GPO and select the policy that you want this in
    2. Under Computer Configuration - Policies - WIndows Settings - Security Settings - Restricted Groups
    3. Right click and add
    4. "Performance Log Users"
    5. In members of this group add your WMI user
    6. gpupdate /target:computer on a server that it's linked to.

Performance Log Users

Note: Performance Log Users have more permissions than Performance Monitor Users.  I tried using just the Performance Monitor Users group without success.

No comments:

Post a Comment