The following procedures describe how to use a non-Admin account for WMI.
NOTE: Security Log collection on Windows Server 2012 requires at least local administrator rights.
Group membership, security policy assignments, and permissions
- Create a domain user account that is used in your environment for log collection.
- Create a domain group that will receive the rights that the WMI collection user needs.
NOTE: Always assign permissions to a domain group, instead of directly to a user.
- Put the WMI collection user into this newly created group.
- Put the newly created WMI collection group into the following domain groups:
- Event log Reader
- Distributed COM Users
- Run one of the following three Microsoft Management Console (MMC) snap-ins:
- The Local Security Policy snap-in (secpol.msc) for member servers.
- The Default Domain Security Policy snap-in (dompol.msc), if you want to configure these settings domain-wide as a GPO.
- The Default Domain Controller Security Settings snap-in (dcpol.msc), if you want to assign the rights only on domain controllers.
- When the snap-in has started, expand Security Settings, Local Policies, User Rights Assignment.
- Assign your new group at least the following rights:
- Act as part of the operating system.
- Log on as a batch job.
- Log on as a service.
- Replace a process level token.
- Close the Policy Settings utility.
Distributed Component Object Model (DCOM) rights assignments
Use the following steps to configure DCOM security for the WMI collection group:
- Click Start, Administrative Tools, Component Services.
- Expand Console Root, Computers, My Computer.
- Right-click My Computer and select Properties.
- In the window that appears, click the COM Security tab.
- Under Access Permissions, click Edit Limits.
- Confirm that the Distributed COM Users group has all items selected under Allow.
- (Optional) Add the WMI collection group to this list and ensure that they have full Allow access.
NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
- When you have reviewed the presence of Distributed COM Users or added the WMI collection group, click OK to save your changes and return to the COM Security tab.
- Under Launch and Activation Permissions, click Edit Limits.
- In the list of groups and permissions, confirm that the Distributed COM Users group has all items selected under Allow.
- (Optional) Add the WMI collection group and assign full Allow access.
NOTE: This step is optional because the WMI collection group is normally already a member of Distributed COM Users.
- Click OK and save your changes.
- Close the Component Services utility.
WMI namespace security assignments
Use the following steps to set WMI namespace security so that the WMI collection group has access to WMI objects:
- Click Start, Run, type wmimgmt.msc, and click OK.
- Right-click WMI Control (Local) and click Properties.
- Click the Security tab.
- Click Security at the bottom of the window. This action edits the security settings for the Root WMI namespace.
- Click Advanced and change the Advanced security settings for this WMI namespace.
- Add the WMI collection group to the list, and assign it at least the following Allow permissions:
- Execute Methods
- Enable Account
- Remote Enable
- Read Security
NOTE: Make sure that these permissions apply to this namespace and all namespaces under it, by selecting This namespace and subnamespaces in the drop-down box, above the permissions list window.
- Click OK and save the new permissions.
- Click OK again and close the Advanced Security Settings.
- Click OK a third time and exit the Security Properties.
You can now use the WMI collection user to collect events from WMI without having to use WMI domain admin rights.