×
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
 
 
BMC Discovery 10.1 ... Using Discovery targets Discovering Windows Hosts

Windows proxy permissions

This document describes the user permissions required by the Windows proxy to obtain information from target Windows hosts for each discovery method available to the Windows proxy. The discovery methods are:

  • RemQuery
  • WMI

RemQuery access and discovery behavior

The RemQuery utility cannot be run as a non-administrator user. You can only create a service as an administrator, which RemQuery needs to do after copying its service to the ADMIN$ share on the remote machine.

If you cannot provide administrator level credentials then you cannot use RemQuery and cannot:

  • Get network connection information from basic discovery
  • Get files from patterns
  • Run commands from patterns

WMI Access and discovery behavior

Method

User

Admin user

getDeviceInfo

OK

OK

getHostInfo

OK

OK

getDirectoryListing

OK

OK

getFileSystems

Not available

OK

getHBAInfo

Not available

OK

getInterfaceList

No manufacturer

OK

getPackageList

OK

OK

getProcessList

No arguments
No command path
No user name

OK

getRegistryListing

OK

OK

getRegistryValue

OK

OK

getServices

Not available after Windows 2003 SP1

OK

WMI access permission definitions

Permission Set

Details

User

DCOM: Remote access enabled
WMI: Root\CIMV2 namespace: Remote Enable, Account Enable
WMI: Root\Default namespace: Remote Enable, Account Enable, Execute
WMI: Root\WMI namespace: Remote Enable, Account Enable

Admin user

Access as a member of the Administrators group, for example, to scan a Domain Controller, use Domain Controller credentials.

Notes

  • getNetworkConnectionList is not available using WMI.
  • The NIC manufacturer cannot be retrieved by a non-administrator because the Plug and Play Manager is queried and there is no way to grant a non-administrator access to this.

  • An error is written in the Windows proxy's log when discovering a Windows 2003 machine as non-administrator. For example:

    ERROR: Query [performanceData] failed: Invalid query [SELECT SystemUpTime FROM
Win32_PerfFormattedData_PerfOS_System] on [10.10.10.55]: [-2147217405:Access denied ]

    This does not lead to any missing information because a different method is then used to retrieve the system's uptime. If the error is a problem, the user can be assigned to the "Performance Monitor Users" group, which allows this WMI query to succeed.

Granting permissions

The following sections list possible ways to grant the various permissions required to a non-administrator user. This should be seen as a guide only.

Setting DCOM permissions

This section describes three methods to grant remote DCOM permission to a user. This is only required for discovery targets running XP SP2 or later or 2003 SP1 or later.

Method 1

Add the user to the Distributed COM Users group. This group was made available in Windows 2003 SP1.

Method 2

Use Group Policy Objects in an Active Directory environment to grant the permission. Using Group Policy Objects is described in this Microsoft article.

Method 3

Use the following steps to configure DCOM permissions on a machine:

  1. Select Start => Run, enter dcomcnfg and click OK - this launches the Component Services configuration GUI.
  2. Expand Console Root => Component Services => Computers => My Computer.
  3. Right-click My Computer and select Properties.
  4. Go to the COM Security tab.
  5. In the Launch and Activation Permissions section, click Edit Limits....
  6. Click Add.
  7. Enter your domain user name or group name in the text entry field and click Check Names.
  8. Click OK.
  9. Set the permissions for the user to Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  10. Click OK to close the permissions dialog, then OK again on My Computer Properties. The user should now be able to remotely access DCOM applications including WMI.

Setting WMI permissions

This method enables you to manually configure WMI permissions on a machine. You cannot configure WMI security with Group Policy Objects.

Use the following steps to configure WMI permissions on a machine:

  1. Select Start => Run, enter wmimgmt.msc and click OK - this launches the WMI management tool.
  2. Right-Click WMI Control (Local) and select Properties.
  3. Select the Security tab in the WMI Control Properties dialog.
  4. Expand the Root object.
  5. Select the namespace (Root\CIMV2, Root\Default, and Root\WMI in turn) and click Security.
  6. Click Advanced.
  7. Click Add...
  8. Enter your domain user name or group name in the text entry field and click Check Names.
  9. Click OK.
  10. Set Apply onto to This namespace only.
  11. Select Allow for the desired permissions (for example, Remote Enable, Account Enable, and Execute Methods).
  12. Click OK three times to get back to the WMI Control Properties Security page.

Setting remote registry permissions

The following article from Microsoft describes how to set remote registry permissions:

http://support.microsoft.com/kb/314837

The user or group must be given read access to the registry key described in this article.
Alternatively, the user could be added to the Backup Operators group. However this group has a high level of access to the whole system.

Granting user rights

User rights can be granted either from gpedit.msc for local configuration, or using the Group Policy Management Console.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Duncan Tweed on Nov 05, 2014

Comments

Configuring Windows NIC discovery
Standalone Windows scanning tool
© Copyright 2004 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.