{"id":158,"date":"2019-05-29T07:05:11","date_gmt":"2019-05-29T07:05:11","guid":{"rendered":"http:\/\/edcint.co.nz\/checkwmiplus\/?post_type=faq&p=158"},"modified":"2019-05-30T00:56:51","modified_gmt":"2019-05-30T00:56:51","slug":"how-do-i-setup-the-windows-user-for-wmic-or-what-permissions-do-i-need","status":"publish","type":"faq","link":"https:\/\/edcint.co.nz\/checkwmiplus\/faq\/how-do-i-setup-the-windows-user-for-wmic-or-what-permissions-do-i-need\/","title":{"rendered":"How do I setup the Windows User for wmic (or what permissions do I need)?"},"content":{"rendered":"
\n
\n
\n

The Easy (Insecure) Way<\/h3>\n

Add a new user and add them to the administrators group. Perhaps disable login privileges. Possibly suitable for test environments etc.<\/p>\n

A Better Way<\/h3>\n

Scroll about halfway down this page<\/a> to the section titled “Configure remote WMI access in Windows”.<\/p>\n

**Note that some people report that even after following the above instructions that not all checks work. We have not yet determined a resolution for this problem. Most of the time using an administrators account fixes this problem. If using the administrator account fixes your errors then you almost certainly have a permissions problem.<\/p>\n

This page<\/a> may also be helpful.<\/p>\n

The primary relevant content from the op5 site is also available here<\/a><\/cite><\/p>\n

Other Permissions Snippets<\/h3>\n

There have been many suggestions scattered around the Internet on how to setup the permissions for wmic access. Some of them have been reproduced here. Its typically going to come down to try various combinations and see what works for you.<\/p>\n

WMI Connection Testing<\/h4>\n

This standalone executable<\/a> sometimes gives somewhat more useful error messages to help find the WMI connection\/permission issues:<\/p>\n

Windows Management Infrastructure<\/h4>\n
    \n
  • (Start \u2192 Run …) wmimgmt.msc<\/li>\n
  • Right-click on WMI Control (Local) Properties \u2192<\/li>\n
  • Security<\/li>\n
  • \u2192 Root CIMV2<\/li>\n
  • Security<\/li>\n
  • Add users with the privileges:<\/li>\n
  • Enable Account<\/li>\n
  • Remote Enable<\/li>\n<\/ul>\n

    Enabling Remote DCOM<\/h4>\n
      \n
    • Add the user (s) in question to the Performance Monitor Users group<\/li>\n
    • Under Services and Applications, bring up the Properties dialog of WMI Control. In the Security tab, highlight the root \/ CIMV2, click Security; add Performance Monitor Users and enable the options: Enable Account and Remote Enable<\/li>\n
    • Run dcomcnfg. At Component Services> Computers> My Computer, in the COM Security tab of the Properties dialog click “Edit Limits” for Both Access Permissions and Launch and Activation Permissions. Add Performance Monitor Users and allow remote access, remote launch, and remote activation<\/li>\n
    • Select Windows Management Instrumentation under Component Services> Computers> My Computer> DCOM Config and give Remote Launch and Remote Activation privileges to performance Users Group.<\/li>\n<\/ul>\n

      Allowing NTLM<\/h4>\n

      Run gpedit.msc and configure the following setting:<\/p>\n

      \"Gpedit<\/p>\n

      Forcing NTLMv2<\/h4>\n

      Add the following command line argument to Check WMI Plus to force the use of NTLMv2:
      \n–extrawmicarg “–option=client ntlmv2 auth=Yes”<\/p>\n

      Make Sure the Account is Active<\/h4>\n

      Using an administrative command prompt
      \nnet user USERNAME \/active:yes<\/p>\n

      Windows Firewall<\/h4>\n

      Make sure the Windows firewall will allow wmi connections from the Check WMI Plus client.
      \nIf you are not sure if you have a firewall issue, disable the firewall and test. If it works when you disable the firewall but not when the firewall is enabled, then you need to add the correct firewall rule.<\/p>\n

      Workgroup and Systems that cannot communicate with their Domain<\/h4>\n

      There are some reports that you have to disable UAC if you’re checking against a system that’s either in a workgroup or cannot communicate to a domain (even if joined).<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"author":1,"template":"","faq_groups":[3],"class_list":["post-158","faq","type-faq","status-publish","hentry","faq-group-support"],"_links":{"self":[{"href":"https:\/\/edcint.co.nz\/checkwmiplus\/wp-json\/wp\/v2\/faqs\/158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/edcint.co.nz\/checkwmiplus\/wp-json\/wp\/v2\/faqs"}],"about":[{"href":"https:\/\/edcint.co.nz\/checkwmiplus\/wp-json\/wp\/v2\/types\/faq"}],"author":[{"embeddable":true,"href":"https:\/\/edcint.co.nz\/checkwmiplus\/wp-json\/wp\/v2\/users\/1"}],"wp:attachment":[{"href":"https:\/\/edcint.co.nz\/checkwmiplus\/wp-json\/wp\/v2\/media?parent=158"}],"wp:term":[{"taxonomy":"faq-group","embeddable":true,"href":"https:\/\/edcint.co.nz\/checkwmiplus\/wp-json\/wp\/v2\/faq_groups?post=158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}