Page tree
    Skip to end of metadata
    Go to start of metadata

    This topic describes the user permissions required by the Windows proxy to obtain information from target Windows hosts for each discovery method available to the Windows proxy. The discovery methods are as follows:

    RemQuery access and discovery behavior

    The RemQuery utility cannot be run as a nonadministrator user. You can only create a service as an administrator, which RemQuery needs to do after copying its service to the ADMIN$ share on the remote machine.

    If you cannot provide administrator-level credentials, then you cannot use RemQuery and you cannot perform the following actions:

    • Get network connection information from basic discovery
    • Get files from patterns
    • Run commands from patterns

    WMI Access and discovery behavior

    Method

    User

    Admin user

    getDeviceInfo

    OK

    OK

    getHostInfo

    OK

    OK

    getDirectoryListing

    OK

    OK

    getFileSystems

    Not available

    OK

    getHBAInfo

    Not available

    OK

    getInterfaceList

    No manufacturer

    OK

    getPackageList

    OK

    OK

    getProcessList

    No arguments
    No command path
    No user name

    OK

    getRegistryListing

    OK

    OK

    getRegistryValue

    OK

    OK

    getServices

    Not available after Windows 2003 SP1

    OK

    WMI access permission definitions

    Permission Set

    Details

    User

    DCOM: Remote access enabled
    WMI: Root\CIMV2 namespace: Remote Enable, Account Enable
    WMI: Root\Default namespace: Remote Enable, Account Enable, Execute
    WMI: Root\WMI namespace: Remote Enable, Account Enable

    Admin user

    Access as a member of the Administrators group, for example, to scan a Domain Controller, use Domain Controller credentials.

     

    Notes

    • getNetworkConnectionList is not available using WMI.
    • The NIC manufacturer cannot be retrieved by a nonadministrator because the Plug and Play Manager is queried, and there is no way to grant a nonadministrator access to this.
    • An error is written in the Windows proxy's log when discovering a Windows 2003 machine as a nonadministrator; for example:

      ERROR: Query [performanceData] failed: Invalid query [SELECT SystemUpTime FROM
      Win32_PerfFormattedData_PerfOS_System] on [10.10.10.55]: [-2147217405:Access denied ]

      This does not lead to any missing information because a different method is then used to retrieve the system's uptime. If the error is a problem, the user can be assigned to the Performance Monitor Users group, which allows this WMI query to succeed.

    Granting permissions

    The following sections list possible ways to grant the various permissions required to a nonadministrator user. This information should be used as a guide only.

    Setting DCOM permissions

    This section describes three methods to grant remote DCOM permission to a user. This is only required for discovery targets running XP SP2 or later or 2003 SP1 or later.

    Method 1

    Add the user to the Distributed COM Users group. This group was made available in Windows 2003 SP1.

    Method 2

    Use Group Policy Objects in an Active Directory environment to grant the permission. Using Group Policy Objects is described in this Microsoft article.

    Method 3

    Use the following steps to configure DCOM permissions on a machine:

    1. Select Start > Run, enter dcomcnfg, and click OK
      The Component Services configuration GUI opens.
    2. Expand Console Root > Component Services > Computers > My Computer.
    3. Right-click My Computer and select Properties.
    4. Go to the COM Security tab.
    5. In the Launch and Activation Permissions section, click Edit Limits.
    6. Click Add.
    7. Enter your domain user name or group name in the text entry field, and click Check Names.
    8. Click OK.
    9. Set user permissions for Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
    10. Click OK to close the permissions dialog, then OK again on My Computer Properties.
      The user should now be able to remotely access DCOM applications, including WMI.

    Setting WMI permissions

    This method enables you to manually configure WMI permissions on a machine. You cannot configure WMI security with Group Policy Objects.

    Use the following steps to configure WMI permissions on a machine:

    1. Select Start > Run, enter wmimgmt.msc, and click OK
      The WMI management tool is launched.
    2. Right-click WMI Control (Local), and select Properties.
    3. Select the Security tab in the WMI Control Properties dialog.
    4. Expand the Root object.
    5. Select the namespace (Root\CIMV2, Root\Default, and Root\WMI in turn), and click Security.
    6. Click Advanced.
    7. Click Add.
    8. Enter your domain user name or group name in the text entry field, and click Check Names.
    9. Click OK.
    10. Set Apply onto to This namespace only.
    11. Select Allow for the desired permissions (for example, Remote Enable, Account Enable, and Execute Methods).
    12. Click OK three times to get back to the WMI Control Properties Security page.

    Setting remote registry permissions

    The following article from Microsoft describes how to set remote registry permissions:

    http://support.microsoft.com/kb/314837

    The user or group must be given read access to the registry key described in the article. Alternatively, the user could be added to the Backup Operators group; however, this group has a high level of access to the whole system.

    Granting user rights

    User rights can be granted either from gpedit.msc for local configuration, or by using the Group Policy Management Console.

    Related topics

    • No labels

    1 Comment

    1. Device Summary Windows Desktop, Windows, 10

      Status

      StateFinishedResultSkipped (Desktop host discovery has been disabled)