This documentation supports the 21.3 (12.3) version of BMC Discovery.

Windows proxy permissions

This topic describes the user permissions the Windows proxy requires to obtain information from target Windows hosts for each discovery method available to the Windows proxy. 

Related topics

Adding-Windows-proxies

Additional-Windows-proxy-configuration

RemQuery access and discovery behavior

The RemQuery utility cannot be run as a non-administrator user. You can only create a service as an administrator, which RemQuery needs to do after copying its service to the ADMIN$ share on the remote computer.

If you cannot provide administrator-level credentials, then you cannot use RemQuery, and you cannot perform the following actions:

  • Get files from patterns
  • Run commands from patterns

WMI access and discovery behavior

WMI access permission definitions

Permission Set

Details

User

DCOM: Remote access enabled
WMI: Root\CIMV2 namespace: Remote Enable, Account Enable
WMI: Root\Default namespace: Remote Enable, Account Enable, Execute
WMI: Root\WMI namespace: Remote Enable, Account Enable
WMI: Root\StandardCIMV2 namespace: Remote Enable, Account Enable

Admin user

Access as a member of the Administrators group, for example, use Domain Controller credentials to scan a Domain Controller.

Additional details

  • A non-administrator cannot retrieve the NIC manufacturer because the Plug and Play Manager is queried, and there is no way to grant a non-administrator access to this.

  • An error is written in the Windows proxy's log when discovering a Windows 2003 machine as a non-administrator; for example:

    ERROR: Query [performanceData] failed: Invalid query [SELECT SystemUpTime FROM
    Win32_PerfFormattedData_PerfOS_System] on [10.10.10.55]: [-2147217405:Access denied ]

    This does not lead to any missing information because a different method is then used to retrieve the system's uptime. If the error is a problem, the user can be assigned to the Performance Monitor Users group, which allows this WMI query to succeed.

Granting permissions

The following sections list possible ways to grant the various permissions required to a non-administrator user. This information should be used as a guide only.

Setting DCOM permissions

This section describes three methods to grant remote DCOM permission to a user. These methods are only required for discovery targets running XP SP2 or later or 2003 SP1 or later.

Method 1

Add the user to the Distributed COM Users group. This group was made available in Windows 2003 SP1.

Method 2

Use Group Policy Objects in an Active Directory environment to grant the permission. Using Group Policy Objects is described in this Microsoft article.

Method 3

Use the following steps to configure DCOM permissions on a machine:

  1. Select Start > Run, enter dcomcnfg, and click OK
    The Component Services configuration GUI opens.
  2. Expand Console Root > Component Services > Computers > My Computer.
  3. Right-click My Computer and select Properties.
  4. Go to the COM Security tab.
  5. In the Launch and Activation Permissions section, click Edit Limits.
  6. Click Add.
  7. Enter your domain user name or group name in the text entry field, and click Check Names.
  8. Click OK.
  9. Set user permissions for Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  10. Click OK to close the permissions dialog, then OK again on My Computer Properties.
    The user should now be able to remotely access DCOM applications, including WMI.

Setting WMI permissions

This method enables you to manually configure WMI permissions on a machine. You cannot configure WMI security with Group Policy Objects.

Use the following steps to configure WMI permissions on a machine:

  1. Select Start > Run, enter wmimgmt.msc, and click OK
    The WMI management tool is launched.
  2. Right-click WMI Control (Local), and select Properties.
  3. Select the Security tab in the WMI Control Properties dialog.
  4. Expand the Root object.
  5. Select the namespace (Root\CIMV2, Root\Default, and Root\WMI in turn), and click Security.
  6. Click Advanced.
  7. Click Add.
  8. Enter your domain user name or group name in the text entry field, and click Check Names.
  9. Click OK.
  10. Set Apply onto to This namespace only.
  11. Select Allow for the desired permissions (for example, Remote Enable, Account Enable, and Execute Methods).
  12. Click OK three times to get back to the WMI Control Properties Security page.

Setting remote registry permissions

The following article from Microsoft contains information on how to set remote registry permissions: https://docs.microsoft.com/en-US/troubleshoot/windows-client/application-management/change-registry-values-permissions

The user or group must be given read access to the registry key described in the article. Alternatively, the user could be added to the Backup Operators group; however, this group has a high level of access to the whole system.

Granting user rights

User rights can be granted either from gpedit.msc for local configuration, or by using the Group Policy Management Console.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*