Is there a way to set access to WMI using GroupPolicy?
Solution 1
Made some research on this and looks like the method below should work:
For Windows 2003 with Group Policy Management Console (GPMC), perform the following steps:
- Navigate to
Start Menu
>Administrative Tools
>Group Policy Management
. - In the left-hand pane, navigate to Forest:
Domain Name
->Domains
->Domain Name
, where Domain Name is the name of the domain you wish to modify. - Right-click on
Domain Name
in the left-hand pane and selectCreate and Link a GPO Here
. - Name the new policy
WMI Permissions
.
NOTE: Since WMI must establish a DCOM connection to remote host, this is enough to configure access permissions for DCOM.
Configuring Distributed Component Object Model (DCOM) Permissions:
- Navigate to the
WMI Permissions
group policy, either bythe Group Policy Management
plug-in or by theADUC
plug-in. - Ensure that the
WMI Permissions
policy is highlighted and click on theEdit
button. - Navigate to
Computer Configuration
->Windows Settings
->Security Settings
->Local Policies
->Security Options
. - In the right-hand UI pane, double-click on
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
. - Put a checkmark in the box beside
Define this policy setting
. - Click on the
Edit Security
button. - Click on the
Add
button; in the resulting pop-up window, specify the domain administrator account that will be used. - Click OK.
- In the
Group or user names
field, select the domain administrator you specified in step #7. - In the
Permissions for Administrators
field, ensure that there is a checkmark in theAllow
column for theRemote Access
option. - Click OK.
- Click OK.
- In the right-hand UI pane, double-click on
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
. - Put a checkmark in the box beside
Define this policy setting
. - Click on the
Edit Security
button. - Click on the
Add
button; in the resulting pop-up window, specify the domain administrator account that will be used. - Click OK.
- In the Group or user names field, select the domain administrator you specified in step #16.
- In the
Permissions for Administrators
field, ensure that there is a checkmark under theAllow
column for bothRemote Launch
andRemote Activation
. - Click OK.
- Click OK.
- Close the
Group Policy Object Editor
window. - Click OK and close the
Active Directory Users and Computers
window.
Solution 2
Referencing https://answers.splunk.com/answers/2703/how-to-enable-wmi-data-collection-on-a-domain-server.html
There's no non-esoteric way at this time to globally configure WMI security settings domain-wide. Each machine has its own setting. There is an MSDN blog, however, that lists the steps you can take to create a script that contains the appropriate security descriptors, which you can then subsequently throw into a GPO as a startup script and have your computers get the updated security settings at boot time.
Here's the link to the blog post w/ method for the creating a script: https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/
This approach gave me a usable method to enable WMI access for a non-Domain Admin service account using GPO.
Solution 3
Microsoft have another, more recent article demonstrating how to do this via Group Policy with a PowerShell script:
Not sure why they do it with a scheduled task. I believe Group Policy Startup Scripts now support PowerShell natively.
The original script is still available but I suggest using this copy which fixes a bug.
Related videos on Youtube
Greg Domjan
Updated on September 18, 2022Comments
-
Greg Domjan almost 2 years
From various documentation it appears that to change WMI access you need to use WMI to access the running service and modify specific parts of the tree.
Its kind of annoying changing 150,000 hosts using the UI.
And then having to include such changes in the process of adding new hosts.Could write a script to do the same, but that needs to either connect to all those machines live, or be distributed for later update say in an startup/install script. And then you have to mess around with copying binary SD data from an example access control.
I've also found you can change the wbem/*.mof file to include an SDDL but I'm really vague on how that all works at the moment.
Am I just missing some point of simple administration?
-
Victor Zakharov over 11 yearsGood question, I am also wondering on that.
-
-
Todd Wilcox over 6 yearsI hope people who are configuring GPOs to enable access to WMI have a firm enough understanding of these systems that they don't need to know exactly when or how many times to click "Ok".
-
SamErde over 5 yearsYou still need to create permissions on the WMI namespace using SDDL.