SWbemSecurity.ImpersonationLevel property

The ImpersonationLevel property is an integer that defines the COM impersonation level that is assigned to this object. This setting determines if processes owned by Windows Management Instrumentation (WMI) can detect or use your security credentials when making calls to other processes. For more information about impersonation levels, see Setting Client_Application_Process Security.

If you do not set the impersonation level specifically in either a moniker, or by setting the SWBemSecurity.ImpersonationLevel property on a securable object, WMI sets the default impersonation level to the value specified in the default impersonation level registry key. If this setting is not sufficient, the provider does not service your request, and the call to the WMI API can fail with an error code of wbemErrAccessDenied (2147749891/0x80041003).

For an explanation of this syntax, see Document Conventions for the Scripting API.

This property is read/write.

Syntax

SWbemSecurity.ImpersonationLevel As Integer

Property value

Remarks

As a DCOM impersonation level, this property can be set to one of the following values:

Value Description
Anonymous Hides the credentials of the caller. WMI does not actually support this impersonation level; if a script specifies impersonationLevel=Anonymous, WMI will silently upgrade the impersonation level to Identify. This is in some ways a meaningless exercise, however, because scripts using the Identify level are likely to fail.
Identify Enables objects to query the credentials of the caller. Scripts using this impersonation level are likely to fail; the Identify level typically lets you do no more than check access control lists. You will not be able to run scripts against remote computers using Identify.
Impersonate Enables objects to use the credentials of the caller. It is recommended that you use this impersonation level with WMI scripts. When you do so, the WMI script will use your user credentials; as a result, it will be able to perform any tasks that you are able to perform.
Delegate Enables objects to permit other objects to use the credentials of the caller. Delegation allows a script to use your credentials on a remote computer and then enables that remote computer to use your credentials on another remote computer. While you can use this impersonation level within WMI scripts, you should do so only if necessary because it might pose a security risk.
You cannot use the Delegate impersonation level unless all the user accounts and computer accounts involved in the transaction have all been marked as Trusted for delegation in Active Directory. This helps minimize the security risks. Although a remote computer can use your credentials, it can do so only if both it and any other computers involved in the transaction are trusted for delegation.

As noted, Anonymous impersonation hides your credentials and Identify permits a remote object to query your credentials, but the remote object cannot impersonate your security context. (In other words, although the remote object knows who you are, it cannot "pretend" to be you.) WMI scripts accessing remote computers using one of these two settings will generally fail. In fact, most scripts run on the local computer using one of these two settings will also fail.

Impersonate permits the remote WMI service to use your security context to perform the requested operation. A remote WMI request that uses the Impersonate setting typically succeeds, provided your credentials have sufficient privileges to perform the intended operation. In other words, you cannot use WMI to perform an action (remotely or otherwise) that you do not have permission to perform outside WMI.

Setting impersonationLevel to Delegate permits the remote WMI service to pass your credentials on to other objects and is generally considered a security risk.

You can set the impersonation level of an SWbemServices, SWbemObject, SWbemObjectSet, SWbemObjectPath, and SwbemLocator object by setting the ImpersonationLevel property to the desired value. The following example shows you how to set the impersonation level for an SWbemObject object:

objinstance.Security_.ImpersonationLevel = _
    wbemImpersonationLevelImpersonate

You can also specify impersonation levels as part of a moniker. The following example sets the authentication level and the impersonation level, and retrieves an instance of Win32_Service.

Set objinst = GetObject("WinMgmts:{impersonationLevel=impersonate,"& _
                         "authenticationLevel=pktPrivacy}"& _
                         "!root/cimv2:Win32_service='ALERTER'")

Requirements

Requirement Value
Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008
Type library
Wbemdisp.tlb
DLL
Wbemdisp.dll
CLSID
CLSID_SWbemSecurity
IID
IID_ISWbemSecurity

See also

SWbemSecurity

Setting Client_Application_Process Security

WbemImpersonationLevelEnum