Share via

Monitoring Access: How to grant minimum WMI access to the Monitoring Service Accounts

  • Article

Nowadays, some Admins in the network grant Domain Admins privilege to the monitoring service accounts to monitor their computers. With this article, you can grant minimum WMI access to these kind of service accounts. To achieve this goal please follow below instruction:

  • Create a Service Account with limited privilege (If exist please remove it from Domain Admins Group)
  • Create a Security group in your Domain (To grant access, I recommend that to create a new security group in your domain. As all we know, group based access has some benefits, and I wont to describe these benefits through this article)

To grant WMI based monitoring access you need to add mentioned service account or its better to say add mentioned security group to the following local groups of each computer. In addition, it is possible to grant these permissions through Group Policy.

  • Distributed COM Users
  • Performance Monitor Users

After above steps you need to grant “Remote Enable” right to your new security group through below procedure:

Note

Please do the followings carefully and I recommend DO NOT remove any existing rights

  • Open WMI Control using wmimgmt.msc or mmc console
  • Right click on the WMI Control (Local) item and click on the Properties item
  • In the opened menu, click on the Security tab
  • In the Security tab, select the Root folder and then click on the Security button
  • In the “Security for Root” menu, add your created security groups in first step and in the Permissions section of mentioned group only check the “Remote Enable - Allow” item and then click on the Advanced button
  • In the Advanced menu, select your security group and the click on the Edit button
  • In the opened menu, and from the “Applies to” drop down list, select the “This namespace and subnamespaces” then click on the OK button
  • Click on the Apply/OK buttons on each opened menus to grant the required access.

Note: You can grant such this access to the non-joined computers but be inform you need to create Service Account locally on each computer and grand these rights to the service account instead of local security group.

Congratulations, after all above steps you have granted minimum WMI privilege to your monitoring service account.