I came across this blog post http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx for deploying the WMI security via GPO and a script.
Unfortunately this wasn't the entire pictures for me with either Server 2008 R2 or 2012. (in addition I found that it's important to ensure that propogation is set properly before deploying)
To get it to work for me I had to do the following extra steps:
- When setting the security, in order to get propagation, I had to click add permissions via the following steps
- Do this before you retrieve the security descripter
- Click Security Tap
- select the level (ie root)
- click Security
- click Advanced
- Click Add
- ensure that the Apply to: is set to "This namespace and subnamespaces" is selected
- I also had to put the user in the "Performance Log users" security group. This can be done in GPO or at the local level. For GPO:
- Open GPO and select the policy that you want this in
- Under Computer Configuration - Policies - WIndows Settings - Security Settings - Restricted Groups
- Right click and add
- "Performance Log Users"
- In members of this group add your WMI user
- gpupdate /target:computer on a server that it's linked to.
Performance Log Users
http://technet.microsoft.com/en-us/library/cc749154.aspx
Note: Performance Log Users have more permissions than Performance Monitor Users. I tried using just the Performance Monitor Users group without success.
No comments:
Post a Comment