This documentation relates to the latest released version of BMC Discovery.
See the information on this topic for versions 11.2 or 11.1.

This topic describes the user permissions required by the Windows proxy to obtain information from target Windows hosts for each discovery method available to the Windows proxy. The discovery methods are as follows:

RemQuery access and discovery behavior

The RemQuery utility cannot be run as a nonadministrator user. You can only create a service as an administrator, which RemQuery needs to do after copying its service to the ADMIN$ share on the remote machine.

If you cannot provide administrator-level credentials, then you cannot use RemQuery and you cannot perform the following actions:

  • Get network connection information from basic discovery
  • Get files from patterns
  • Run commands from patterns

WMI Access and discovery behavior

Method

User

Admin user

getDeviceInfo

OK

OK

getHostInfo

OK

OK

getDirectoryListing

OK

OK

getFileSystems

Not available

OK

getHBAInfo

Not available

OK

getInterfaceList

No manufacturer

OK

getPackageList

OK

OK

getProcessList

No arguments
No command path
No user name

OK

getRegistryListing

OK

OK

getRegistryValue

OK

OK

getServices

Not available after Windows 2003 SP1

OK

WMI access permission definitions

Permission Set

Details

User

DCOM: Remote access enabled
WMI: Root\CIMV2 namespace: Remote Enable, Account Enable
WMI: Root\Default namespace: Remote Enable, Account Enable, Execute
WMI: Root\WMI namespace: Remote Enable, Account Enable

Admin user

Access as a member of the Administrators group, for example, to scan a Domain Controller, use Domain Controller credentials.

 

Notes

  • getNetworkConnectionList is not available using WMI.
  • The NIC manufacturer cannot be retrieved by a nonadministrator because the Plug and Play Manager is queried, and there is no way to grant a nonadministrator access to this.
  • An error is written in the Windows proxy's log when discovering a Windows 2003 machine as a nonadministrator; for example:

    ERROR: Query [performanceData] failed: Invalid query [SELECT SystemUpTime FROM
    Win32_PerfFormattedData_PerfOS_System] on [10.10.10.55]: [-2147217405:Access denied ]

    This does not lead to any missing information because a different method is then used to retrieve the system's uptime. If the error is a problem, the user can be assigned to the Performance Monitor Users group, which allows this WMI query to succeed.

Granting permissions

The following sections list possible ways to grant the various permissions required to a nonadministrator user. This information should be used as a guide only.

Setting DCOM permissions

This section describes three methods to grant remote DCOM permission to a user. This is only required for discovery targets running XP SP2 or later or 2003 SP1 or later.

Method 1

Add the user to the Distributed COM Users group. This group was made available in Windows 2003 SP1.

Method 2

Use Group Policy Objects in an Active Directory environment to grant the permission. Using Group Policy Objects is described in this Microsoft article.

Method 3

Use the following steps to configure DCOM permissions on a machine:

  1. Select Start > Run, enter dcomcnfg, and click OK
    The Component Services configuration GUI opens.
  2. Expand Console Root > Component Services > Computers > My Computer.
  3. Right-click My Computer and select Properties.
  4. Go to the COM Security tab.
  5. In the Launch and Activation Permissions section, click Edit Limits.
  6. Click Add.
  7. Enter your domain user name or group name in the text entry field, and click Check Names.
  8. Click OK.
  9. Set user permissions for Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  10. Click OK to close the permissions dialog, then OK again on My Computer Properties.
    The user should now be able to remotely access DCOM applications, including WMI.

Setting WMI permissions

This method enables you to manually configure WMI permissions on a machine. You cannot configure WMI security with Group Policy Objects.

Use the following steps to configure WMI permissions on a machine:

  1. Select Start > Run, enter wmimgmt.msc, and click OK
    The WMI management tool is launched.
  2. Right-click WMI Control (Local), and select Properties.
  3. Select the Security tab in the WMI Control Properties dialog.
  4. Expand the Root object.
  5. Select the namespace (Root\CIMV2, Root\Default, and Root\WMI in turn), and click Security.
  6. Click Advanced.
  7. Click Add.
  8. Enter your domain user name or group name in the text entry field, and click Check Names.
  9. Click OK.
  10. Set Apply onto to This namespace only.
  11. Select Allow for the desired permissions (for example, Remote Enable, Account Enable, and Execute Methods).
  12. Click OK three times to get back to the WMI Control Properties Security page.

Setting remote registry permissions

The following article from Microsoft describes how to set remote registry permissions:

http://support.microsoft.com/kb/314837

The user or group must be given read access to the registry key described in the article. Alternatively, the user could be added to the Backup Operators group; however, this group has a high level of access to the whole system.

Granting user rights

User rights can be granted either from gpedit.msc for local configuration, or by using the Group Policy Management Console.

Related topics

Was this page helpful? Yes No Submitting... Thank you
  • No labels
© Copyright 2004 - 2019 BMC Software, Inc.
Legal notices